C19. How can I optimise the security of my database?

Since lawyers deal with particularly sensitive data, the security of the timeSensor LEGAL database is an especially serious matter. The article below provides information on how to ensure the safe operation of the database.

General information

This FAQ article is limited to information with regard to the security settings concerning the 4D database itself. Regardless of these settings, you must also ensure the security of your infrastructure. For example, the network must be protected by a firewall and the workstations must be updated with the latest software. We highly recommend that the security of your infrastructure is periodically checked by an independent expert!

Database encryption

In multi-user mode, the client application communicates permanently with the 4D database. In order to prevent data traffic between the client and the 4D Server from being intercepted, you should encrypt the communication between the client and the 4D Server. To do this, please proceed as follows:

  • In the 4D server administration window, click on "Application Server" and check whether encryption is already enabled or not. Encryption is enabled if "Yes" is displayed next to "SSL active:". In that case, you don't need to do anything.
  • Otherwise: In macOS, open the "File" menu and then select the item "User settings for data file…" under "Database settings"; or in Windows, open the "Edit" menu and then select the item "User settings for data file..." under "User data settings…".
  • In the dialogue box, click on the tab "Client-Server"
  • Activate the checkbox "Encrypted client-server connections"
  • Click "OK" to save the settings
  • Exit the database server and then restart.

In order to enable the clients on the individual workstations to log on with SSL encryption in future, you must now change the connection type on the workstations. (You will only need to do this once.) Please proceed as follows:

  • Start the client and hold down the Alt key (Windows) or Option key (macOS)
  • In the Connection window, click "Custom"
  • ¥ Enter the following in the "Application Name:" field: ^timeSensor
    N.B.: the leading circumflex ensures that the client will log on to the server using SSL encryption in future
  • In the "Network Address" field, enter the IP address of your server
  • You can now connect as usual.

Note for administrators: if you manage a larger number of workstations, you can also roll out a preconfigured client via your deployment tool. The client application folder has a sub-folder called "Database", in which you will find the file "EnginedServer.4Dlink". The exact path is as follows:

  • macOS: Contents/Database/EnginedServer.4Dlink (within the client program package)
  • Windows:
    timeSensor Client/Database/EnginedServer.4Dlink

This XML file should be edited as shown in the example below. Here it is also important to place a circumflex before the database name (i.e. ^timeSensor).

Passwort Management

User passwords have no longer been stored in the database since tSL 7.0/Build 2139, so even the Administrator can no longer read user passwords, since only a hash code is stored in the database. However, this improvement in security is only effective if all users choose secure passwords. With this in mind, please ensure that your users choose passwords that are sufficiently strong.

If an incorrect password is entered three times successively in a user account, the password dialogue closes and the corresponding user receives a ticket informing him/her of the unsuccessful access attempt.

Administrators can also choose to be informed about such incidents by activating the "Send tickets for security-relevant messages" checkbox in their user account. We recommend that you make use of this option and define a process that takes effect when such incidents occur in your law practice. After any unsuccessful access attempt, it should at least be clarified whether the user had forgotten his/her password or whether it was in fact an attempt by a third party to access the account.

Login Dialogue

When logging on to the database, the user first encounters the timeSensor LEGAL login dialogue box. timeSensor LEGAL offers several security levels for this dialogue box that can be selected in the Settings section under "Admin"/"Special". To adjust the security for this dialogue box, click the Security tab and set the Login Dialogue slider to the desired level:

  • Level 1 ("More Convenient"): this is the "classic" login dialogue. It shows the user list and the list of active entities (assuming that there are multiple entities), and automatically remembers the last user or entity so that they are automatically preselected. Although this dialogue is user-friendly, it is not ideal from a data protection perspective, since it reveals the names of users and entities. Only use this level if you are using timeSensor LEGAL in a small, protected environment.
  • Level 2: At this level, the login dialogue shows neither the user list nor the entity list and the user has to enter them manually. timeSensor LEGAL remembers the last entries, so that these fields are usually already filled in and it is only necessary to enter the password.
  • Level 3: The same as Level 2, but timeSensor LEGAL only remembers the last entity. The user name and password must always be entered manually by the user.
  • Level 4 ("More Security"): The same as Level 2, but timeSensor LEGAL does not remember the previous entry. The entity code, user name and password must be always be entered manually. This is the highest security level and recommended, especially if your database is in the cloud.