Steven H. Blackwell

Moderators
  • Content count

    4,981
  • Joined

  • Last visited

  • Days Won

    31

Everything posted by Steven H. Blackwell

  1. You might want to review a new Tech Info about a number of significant behavior changes in FileMaker® Pro 16 and FileMaker® Server 16 compared to behaviors of prior versions: http://thefmkb.com/16316 Steven---Steven H. BlackwellPlatinum Member EmeritusFileMaker Business Alliance
  2. Here is an Infographic showing the Security Schema of the FileMaker Platform at it now stands at Version 16.
  3. There have been a number of reports of developers having difficulty logging into FileMaker® Pro 16 files with OAuth2 based Accounts once they have set up the services on FileMaker® Server 16. Briefly to review, developers can now specify Amazon, Google, or Azure Active Directory Accounts to validate Identity Assertions and gain admission to the file. However, users must understand that when using these OAuth2 Accounts that they do not enter the credentials in the normal place in the dialog. That locale is reserved for FileMaker Accounts and legacy External Server Authentication Accounts only. Instead, users should click the respective button for the Identity Service they are using as shown in the illustration. Once this is done, the authentication process can continue. Steven H. Blackwell Platinum Member Emeritus, FileMaker Business Alliance
  4. One of the best new security features in the FileMaker 16 Platform is that, by default, several external Application Program Interfaces (APIs) are off and disabled. AppleEvents, ActiveX, and FMPURL Perform Script are all still there. But developers must specifically select and enable them. This feature prevents unauthorized manipulation and interaction with FileMaker Pro files, both stand-alone and hosted by FileMaker Server. Such manipulation can be used to alter data, destroy data, create data, run scripts, and in some instances, manipulate the User Interface. Such attacks can have significant impact on FileMaker Platform business solutions as described in FileMaker Security BLOG post found at http://fmforums.com/blogs/entry/1652-security-vulnerabilities-of-filemaker-platform-api’s-an-update/ If developers do use AppleEvents, ActiveX, or FMPURL Perform Script in solutions, and they wish to use FileMaker® Pro 16, then they must now specifically enable the desired Privilege Bit for these APIs. This can be done on a Privilege Set specific basis. If developers do not enable these privileges, then the solutions will not perform as designed. This is true irrespective of whatever settings might have been in earlier versions. To enable the specific privilege, go to Manage Security and select the Extended Privileges section. Then check the desired option, as shown here: Following this practice will allow the specific API to interact with the file as desired. Steven H. Blackwell Platinum Member Emeritus, FileMaker Business Alliance
  5. The release of Version 16 of the FileMaker Platform brings with it a host of new security features reaching across the entire platform. FileMaker Platform developers as well as our customers and clients who are data owners need to take a variety of steps to protect their FileMaker Platform Business Solutions. Threat Agents of many varieties seek to exploit vulnerabilities that might exist in those solutions to compromise them, to steal data, to alter data, or to destroy data. Continued existence and functioning of the business itself, regulatory requirements, civil and criminal liability, and brand reputation protection all argue strongly for robust security. As we move more and more towards the Cloud and to Software as a Service, security as a fundamental business requirement will become more and more important. I do not want to see the loud and public dismissal of the FileMaker Platform from an organization as the result of a security breach that is otherwise preventable. I am very pleased to see the new security features in FileMaker Pro 16 for controlling external API’s. They allow developers to protect files from manipulation and compromise by unauthorized persons. This feature is of particular importance to developers of vertical-market business solutions as well as to any others offering demo or trial versions of their products. These new features help close vulnerabilities that attackers could exploit. This is a major and significant new security enhancement, and I commend FileMaker, Inc. for including it in the new release. Steven H. Blackwell
  6. FileMaker 16 Platform Brings Significant New Security Features The release of Version 16 of the FileMaker Platform brings with it a host of new security features reaching across the entire FileMaker Platform, from FileMaker® Server 16 to FileMaker® Pro 16 to WebDirect™ and beyond. There are new controls on the use of three external Application Programming Interfaces (API’s): AppleEvents, ActiveX, and FMPURL. These controls significantly strengthen security in this area and prevent use of the API’s to manipulate and compromise the database files. There is a new option to encrypt individual fields in a table of the database. Developers must learn what this feature is and what it does and does not do. For example, it does not replace Encryption At Rest (EAR) for files. Version 16 also expands Federated Identity Management with the addition of three new Identity Services that can authenticate user identity assertions. Google Accounts, Amazon Accounts, and Azure Active Directory Accounts and Groups, can now validate such assertions. Again, developers must learn how this feature works and what it does and does not do. Read more in this new White Paper jointly authored by Wim Decorte and Steven H. Blackwell. Introduction To The Numerous Significant New Security Features In FileMaker Platform Version 16 that you can download from this link: http://fmforums.com/files/file/90-new-security-features-version-16/ You can also read more about the new OAuth2 Identity Assertion Validation options in a second White Paper also jointly authored by Wim Decorte and Steven H. Blackwell. Federated Identity Management OAuth Identity Providers in FileMaker 16 that you can download from this link: http://fmforums.com/files/file/91-oauth-identity-providers/ Wim Decorte will also be presenting a program at the 2017 DevCon on this topic. Steven H. Blackwell Platinum Member Emeritus, FileMaker Business Alliance
  7. Version 1.0.0

    102 downloads

    OAuth Identity Providers by Wim Decorte and Steven H. Blackwell

    Free

  8. Version 1.0.0

    181 downloads

    This paper by Wim Decorte and Steven H. Blackwell introduces the new security features in Version 16 of the FileMaker Platform.

    Free

  9. Version 1.0.0

    4 downloads

    External Server Authentication paper by Wim Decorte and Steven H. Blackwell.

    Free

  10. Version 1.0.0

    2 downloads

    Security tech brief as it was updated for FileMaker® Pro 9.

    Free

  11. Version 1.0.0

    4 downloads

    Original Tech Brief on new FileMaker Platform Security from FileMaker® Pro 7 eara in 2004.

    Free

  12. Please carefully note the advise you have been given about the distinction between the User Interface (layouts) and the data themselves. The script can access the data if starting from the right context as defined on the Graph. I agree with Wim's comment about Run script with full access privileges. Use that step with caution. Steven
  13. For a further discussion on issues related to insecure default settings, please see this article: https://snyk.io/blog/mongodb-hack-and-secure-defaults/?utm_content=bufferaec24&utm_ Steven
  14. Security Vulnerabilities of FileMaker Platform API’s: An Update January 9th 2017 In an April 2016 entry on this BLOG titled The FileMaker Platform API’s Are Your Friends, Right? [http://fmforums.com/blogs/entry/1535-the-filemaker-platform-api’s-are-your-friends-right/] I discussed a number of FileMaker Platform security issues centered on the uncontrolled use of a number of external Application Program Interfaces (API’s). There are at least nine of these API, possibly more, if ExecuteSQL is included. The central thesis of that article was that these API’s provide unexpected attack vectors to compromise FileMaker Platform files. As noted at the time: Many FileMaker developers are not aware, however, that these API’s have the capability to access customer or client solutions in unexpected ways and to extract or insert data, to manipulate business processes developers embedded into these solutions, and to compromise the integrity of these solutions. Unfortunately, in the intervening nine-month time span, we continue to see cases where several of these API have been used for malicious purposes to compromise FileMaker Platform files’ business process integrity, to manipulate data, and to extract data. And many in the developer community remain unaware of this problem. In this BLOG entry, I will describe two of these API’s in greater specificity and detail, including describing a variety of attacks they can facilitate. This article will not discuss the ActiveX API that is available on Windows OS; however, developers should give similar attention to that approach. Developers need to be aware of these items in order to protect their files and those of their clients. The two API at the center of this focus are Apple Events and the FMPURL process. In the earlier article, I noted several elements about these that bear repeating here: [These API] cause particular concern because of their breadth and relative ease of use…. The Apple Events Suite has an extensive set of commands that can read and write data, read metadata, manipulate the UI, and trigger scripts. In addition, they can work outside the normal constraints found on layouts in a file. [http://thefmkb.com/5671] The FMPURL…can open a file and run a script in it. If the file is already open, then the script will still run. [http://thefmkb.com/5560] A few general comments about both of these API’s: · They are not platform-specific in the sense that just because a client organization is an all Windows OS environment that it is immune from an Apple Event attack. It’s the OS of the attacker that controls whether the API can be used. · There are some ways within Privilege Sets to constrain behavior of these API commands when they are applied on a file. The Export privilege bit can control the ability of Apple Events to extract data from a file. The Layout Access privilege bits can also constrain the ability to see contents of a layout. Likewise, Script Access privilege bits can control the availability of a script to either of these API. · These API often perform actions in unexpected fashions that fall outside the normal, traditional, and familiar FileMaker Pro User Interface behavior. This is part of what catches developers by surprise. —Apple Events— When a file is open, whether standalone or hosted by FileMaker Server, an attacker can send Apple Event commands to it causing it to perform a variety of actions, including: · Run any script to which the user has access, irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button. · Navigate to any Layout irrespective of whether that Layout’s name is in the list of Layouts or not. If the user’s Privilege Set has access to see that Layout, then its contents are visible whether the developer ever intended for the user to view the Layout or not. · Return various metadata about the file, including such items as Script Names, Value List Items, Layout Names, Field Names, etc. If a user’s Privilege Set does not allow access to the item, its name does not appear in the list returned. · Put data into any field in the database or extract data from any field, irrespective of whether that field is on the active Layout or is on any Layout for that matter. Here are several examples of these scripts, all working on a file named Our_Secret_Information.fmp12. tell application "FileMaker Pro Advanced" activate go to first layout end tell tell application "FileMaker Pro Advanced" activate do script FileMaker script "Relog_as_Admin" end tell tell application "FileMaker Pro Advanced" activate set somevar to name of every layout end tell tell application "FileMaker Pro Advanced" activate set somevar to name of every field end tell tell application "FileMaker Pro Advanced" activate set somevar to get data field "CreditCardNumber" end tell —FMPURL— The FMPURL command’s principal attack vector is that it can be used to run any Script in a file to which a user’s privileges has access. Similar to Apple Events, this occurs irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button. If the file is closed, the command first opens the file with supplied credentials, then runs any OnFirstWindowOpen script, and then runs the designated script from the FMPURL command. As a result of this behavior, a Halt Script step at the end of the opening script has the effect of blocking the running of the FMPURL designated script. Some developers have utilized this technique to block FMPURL calls to scripts in a file. However, if the file is already opened or if there is no opening script, then the designated script does run. Here is an example of calling a script, again in our file Our_Secret_Information.fmp12 being hosted at a server at IP address 0.0.0.0. fmp://0.0.0.0/Our_Secret_Information.fmp12?script= Relog_as_Admin —What Is the Significance Of This and How Do We Address This?— One of the many reasons we caution developers against embedding security elements such as Identity and Access Management controls into the data layer of FileMaker Pro databases is precisely because such elements are vulnerable to these API attacks. Think for a minute about that Relog_as_Admin script that presumably relogs into the file with a [Full Access] Account. If an Attacker can trigger that script and cause it to run, irrespective of what the developer might have intended, then the Attacker has full access to the file. This has actually happened. Or, suppose that a developer has made a “Developer_Only” layout in the file, removed it from the list of layouts, and left sensitive information on it. If the Attacker can navigate to that layout, and if it is not protected by settings in the Privilege Set, then the Attacker can learn the contents of the information on it. This has actually happened in numerous instances, including unbelievably, the appearance of [Full Access] level credentials left exposed on the layout! Likewise, suppose that a developer has made a so-called “Privileges Table” with various fields that purport to control whether a user can do such things as create records. Using the Apple Event Set Data command, an Attacker could likely change the values in these fields if they do not enjoy additional protection. More likely even, the Attacker could simply issue a Make New Record command and create the record. That is a process frequently used to thwart developer-imposed limitations on the number of records in a demonstration version of a vertical market solution. So, what can be done to manage this situation and to prevent these type attacks? In FileMaker® Pro 15, FileMaker, Inc. added a new Extended Privilege option in the Privilege Set called fmscriptdisabled. Developers must explicitly invoke this option; it is not a default option. What it does is to prevent Apple Events (Macintosh OS) and ActiveX commands (Windows OS) from activating scripts, just as the name implies. It has no impact on FMPURL or on other Apple Event commands that do not involve triggering of scripts. Some of the other items in a Privilege Set, notably Export and data layer modification elements, can control Get Data and Set Data Apple Events. If Export is disabled, then Get Data will not return data from the selected field. In tables where the editing privileges are restricted, likewise, Set Data will not add data to a field. Creation and deletion privileges behave in similar fashion. Remember, we are talking here only about Apple Events. Other processes may behave differently. Controlling API behavior is important; however, it is not the only security feature that developers must invoke to assure Confidentiality, Availability, and Integrity of their database systems. So, clearly what we need here is a way to block these API from interacting with FileMaker Pro files. FileMaker, Inc. is aware of these issues and has been working on new ways to address them. In the Product Road Map Webinar presented on November 30th 2016, FileMaker, Inc. noted that the next version of the FileMaker Platform will contain a number of additional security enhancements. I am authorized to say that one of those enhancements will be a new process for more closely and granularly controlling several of these API’s. At such time as there is any new version of the FileMaker Platform, I will have additional comments and analyses of the issues related to these API’s.
  15. The deadline for submitting Program Proposals for the 2017 DevCon is fast approaching: just a little over a week left. There is a new format for this year. There is more information here: https://community.filemaker.com/community/devcon-2017/pages/about-devcon-2017 Steven H. Blackwell
  16. These may prove useful: http://www.filemaker.com/products/filemaker-cloud/specifications.html http://www.filemaker.com/products/filemaker-cloud/compare.html Steven H. Blackwell
  17. This is not expected behavior, especially in the absence of either a copy or a clone of the file. A snapshot link (FMPSL) may produce better results. Steven
  18. FileMker, Inc. has released the 15.0v2 updater fro FileMaker Server. http://www.filemaker.com/support/downloads/
  19. This is probably due to a VLA install configuration. What does the function Get(AccountName) return? It should return the Account Name, in this instance the Account Name from Active Directory. User Name is not part of the process. Steven
  20. Recommended reading about FileMaker Cloud: http://www.soliantconsulting.com/blog/2016/09/filemaker-cloud-executive-summary by Wim Decorte. Steven
  21. Please remember this is a 1.0 version. There is, I believe, a high likelihood that future versions will have added features and functionalities: http://fmforums.com/blogs/entry/1629-filemaker-cloud/#comment-108 Steven
  22. Short video on FIleMaker Cloud: Steven
  23. I am very excited about the advent today of FileMaker Cloud. It is an excellent addition to the overall FileMaker Platform. Even in Version 1.0 we can see major benefits and uses for FileMaker Cloud. Over time and in succeeding versions, I believe these will get even better. It is scalable, both up and down. It can meet rapidly changing needs for infrastructure to support FileMaker-based business management systems. It is secure. Your files are encrypted. And data in transit are also encrypted. This is important to preserve the Confidentiality, Integrity, Availability, and Resilience of your FileMaker business management systems. It is part of the FileMaker Platform. Users can connect to its hosted files with FileMaker Pro, FileMaker GO, and WebDirect™ clients. It requires minimal administrative attention once established. And while no system can ever be a fire-and-forget structure, FileMaker Cloud offers ease of management. Amazon Web Services handles the heavy lifting. FileMaker Cloud introduces the industry-standard oAuth2 process to the FileMaker Platform. That process allows new options for Identity and Access Management. In Version 1.0 that is confined to credentials for managing the newly revamped FileMaker Server Admin Console. This will work with an administrator’s regular Amazon Account. Such federated identity management support might possibly in the future allow developers to utilize other authentication platforms to validate user credentials. Then those other platforms could pass that validation to FileMaker Server and admit the user to specific files. And with correct file privileges to boot! I want to congratulate FileMaker, Inc. and its Engineering, SQA, and Product Management Teams on this initial foray into the Cloud. I look forward to future enhancements to FileMaker Cloud. Steven H. Blackwell
  24. Some familiar FileMaker faces in this video:
  25. It's a waste of money for features that a database server does not need to get the Macintosh Pro "trash can" machine. 16 GB of RAM is pretty minimal for most deployments, particularly if you are deploying WebDirect™ connectivity. How many files, how many users, etc. are you contemplating? Steven