Purchase Order Customisation
Send Purchase Orders
Capturing Return Reasons
Capturing Courier Tags
Creating Agency Stores
Using QR Codes
Custom User Interfaces
Securing your Systems
Barcode Scanners Customer Displays Public Product List Scales
Email Accounts Websites
Pre Install Planning Creating a Franchise
Securing your Servers and Systems
Attacks on your infrastructure is a common part of business today. You need to consider how to protect yourself against a variety of attacks. Most of the advice on this page is general in nature and can apply to your entire environment not just Fieldpine applications.
General steps, not Fieldpine specific
- Change the password for the router admin account from the supplied default. Or put one on if it does not have one. You can make this password reasonably long and random. For many stores consider placing this password on a sticker on the router itself so it doesnt get lost. Any attacker physically able to access your router has already broken your security
- Consider disabling any 'internet' configuration options that permit you to access the router configuration remotely. Internet providers sometimes have an alternative channel into your router and are not typically impacted by this being disabled.
- If you router offers a seperate "guest" network mode, consider using this for staff accesss from personal devices rather than joining your store WiFi freely. Allowing them into your network basically means you need to consider their device security as well.
PosGreen and PosService
- Ensure that users running PosGreen do not have administrator rights. For 99% of retailers the Pos does not require admin rights (except for support purposes)
- If you are running PosService, consider moving this run under an account other than Local Admin. Like PosGreen it does not strictly require admin rights. If you
change the account used for PosService, you need to change Gds/GlobalData to use the same account if present on the same computer.
Technically, Fieldpine register names in the "Global" namespace so that applications can share resources. The programs will fall back to "Local" if global is unavailable, but this means all users must be within the same namespace.
- Inside stores, consider using a different physical computer for 'day to day use' such as email, web browsing etc rather than using the computer that runs Fieldpine.
Opening Firewalls Ports for inbound traffic
- If possible, we suggest using a Cloudflare tunnel to provide inbound access as this hides your origin IP address. Can you open the tunnel at certain times only? Is access really needed at 4am on a Sunday?
- Do NOT operate your ports without any form of security. Have a username/password as a minimum.
- Tie your inbound requests to specific IP addresses if possible, although this isnt always practical and may need ongoing adjustment
- Enable Geo based restrictions to block requests from non approved countries. If you are located in Portugal, do you need to allow connections
from users in North or South America?
FYI, the top 5 countries attacking fieldpine servers (in alphabetical order) are:
- United States
- If you are interfacing to other systems they often want to receive "all customers" as an extract. Think carefully about this, while easier for software developers
you just increased your attack surface (number of places you can be attacked) and added another supplier.
- Do they really need "all"? Would last 3 months be sufficient?
- Do they need all columns of data? Fieldpine can hold a wide variety of details, you should only provide information they have a valid need to access; which is often a tenet of many privacy laws as well
- Fieldpine applications include some advanced controls that might not be present in other supplier systems. For example, we place velocity controls on some API calls to constrain data flow
- Do your own backups. Even if using Cloud solutions. If you are using NAS (network storage), periodically take backups to devices that are not network connected. Ransomware attackers have been known to corrupt backups for a period of time before locking you out.
- Do NOT store credit card information inside Fieldpine. We do not provide fields to hold this data as it requires higher levels of PCI/DSS compliance. If you do need to store information like this consider breaking it into 2 or more pieces; store half in one place and the other half somewhere else such as a locked notebook, then attackers need access to both halfs. (agreed, one half is still useful, but less useful than everything)