Jump to content
  • entries
    41
  • comments
    56
  • views
    84,852

About this blog

Discusses issues of Confidentiality, Integrity, and Availability of FileMaker Pro databases.

Entries in this blog

Steven H. Blackwell

The Power and Advantages Of External Server Authentication With FileMaker Server

By

Steven H. Blackwell

May 9th 2011

Since the advent of FileMaker® Server 7 in 2004, FileMaker developers have been able to employ External Server Authentication for controlling Identity and Access Management to FileMaker files when hosted by FileMaker Server. Yet, either from lack of knowledge or from incorrect assumptions about the process, many do not employ this powerful option.

First, a little background information might be useful to further understanding of this process. Most developers are aware that a FileMaker file can contain multiple Accounts and that each individual Account is attached to a given Privilege Set. The Account, together with its password, serves to determine who is accessing the file and that the person accessing is who he or she claims to be. Who are you, and are you actually whom you claim to be? Once authenticated, the user is admitted to the file with the privileges defined in the Privilege Set associated with the Account.

When a system contains one or two Accounts and maybe only a couple of files, this construct of Accounts and Privileges is reasonably easy to manage. But for many users across many files, management is far more complex. This has lead some developers to construct ersatz log-on and security systems of varying degrees of complexity in an attempt to manage the system. I have seen literally scores of these over the past seven years. Almost completely without exception, they have proved highly vulnerable, easy to defeat, and susceptible to manipulation. They detract from, and damage, security in the files where they are used.

External Server Authentication allows us to remove the Accounts and passwords from the FileMaker file and place those Accounts and passwords either on a Domain Controller or directly on the FileMaker Server machine itself. Accounts on the server are placed into Groups, each of which can contain many Accounts. In the FileMaker files themselves, instead of individual Accounts, developers can create identically named Groups and attach each to an individual Privilege Set. These Groups must exactly match those created on the server.

When a user seeks access to a file hosted by FileMaker Server where External Server Authentication is employed, FileMaker Server queries the server (either itself or the Domain Controller) to determine the authenticity of the Account. If the Account is deemed valid, then the user is connected to the FileMaker file with the correct set of privileges. FileMaker Server matches the Group name in the file to the Group name on the server that houses the Account to determine what that set of Privileges should be. This process works to authenticate users connecting by FileMaker Pro clients as well as by Instant Web Publishing and by Custom Web Publishing.

This process works with Active Directory on Windows Server, with Open Directory on Macintosh Server, and with local security groups on either platform, although in slightly different ways. However, contrary to popular belief, it does not work with generic LDAP server connections. Part of the FileMaker Server Administration Console has a configuration panel for LDAP. This has nothing at all to do with External Server Authentication. Additionally, and again contrary to popular belief, a Domain Controller is not required to make External Server Authentication work. The external Groups can be on the FileMaker Server itself.

So why use External Server Authentication? What are its capabilities? What are its benefits? What are its advantages? There are a number of these.

1. Use of External Server Authentication dramatically simplifies Account management, especially for many users across multiple files. Once the system is set up correctly, the Account name and password need be entered only one time and in only one place. It does not have to be entered individually in each file. For a system with 25 users and 15 files, that would be 375 separate entries in individual files, versus 25 entries in one place with External Server Authentication. The likelihood for error is dramatically reduced.

2. When using External Server Authentication and updating an existing FileMaker solution, the developer does not have to worry about reconciliation of Accounts and passwords added or deleted since the prior update. This is very helpful, especially when using The Separation Model™ construct. Accounts are not in the files, including UI and logic files. So there is nothing there that changes when a older version of a file is swapped out for a newer one.

3. External Server Authentication takes advantage of the security system that an IT department has already established in either a small organization or a large one. FileMaker developers can thereby leverage the usefulness and power of these assets. FileMaker developers and DBA’s are freed of the burden of managing Identity and Access Management by utilizing assets already in place.

4. In some circumstances, developers can take advantage of the power, usefulness, and convenience of Single SignOn, (SSO) also called Single Source LogOn. In such a system, once a user is authenticated by the Domain Controller for access to network assets such as file servers, printers, etc., that same authentication can be passed seamlessly to FileMaker Server. The user is then not required to enter additional credentials to access the FileMaker files. Users need to remember only one set of credentials; they are therefore thought not to be as likely to write their credentials down somewhere and leave them where they can be discovered. SSO works from Windows OS workstations to FileMaker Server running on a Windows OS Server. It does not work in any other configuration of Operating Systems; however, it can be emulated on Macintosh OS workstations by use of the KeyChain. Inappropriate KeyChain use can itself be a problem; such misuse can be managed. That is a topic perhaps for a future Blog posting here.

5. External Server Authentication, when used with a Domain Controller, can extend the scope of tools for Credentials Lifecycle Management. Length and complexity of passwords are better controlled. The same is true for blocking the repetitive use of the same password. Additionally Domain Controllers can manage the permissible days and times and locations of log-ons. Additionally, Domain Controllers can prevent simultaneous log-ons with the same credentials. External Server Authentication thus expands the range of Identity and Access Management controls beyond those found in the native FileMaker file itself.

There are a number of different configuration scenarios for External Server Authentication depending on the specific mix of Operating Systems in place among FileMaker Server machines, user workstations, and Domain Controllers. This topic is covered in vast detail in a White Paper I co-authored with FileMaker Server world class expert Wim Decorte. That paper, Server External Authentication, was last updated for FileMaker® Server 9 in 2008. However it contains information still pertinent and useful for FileMaker® Server 11.

To recap, External Server Authentication offers FileMaker developers and DBA’s as well as IT managers flexibility, ease of Account management, and utilization of a range of IT created security assets. It should be a core part of every FileMaker developer’s arsenal.

Steven H. Blackwell

April 27th--Update.

We were recently advised that a last minute change in the encryption level of secure storage resulted in that encryption's being 128 bit, not 256 bit as the attached document on Containers states. This is still a strong level of encryption.

 

April 4th 2012

Today’s release of FileMaker® Server 12, together with its companion FileMaker Pro and FileMaker GO products, marks another important milestone on the FileMaker, Inc. Product Roadmap.

FileMaker Server is at the center of all robust and business critical FileMaker solution deployments. It provides safe and reliable hosting of multiple files for access by multiple simultaneous users employing a variety of clients including FileMaker Pro, FileMaker GO, modern web browsers, and ODBC/JDBC savvy applications.

There is one very important caveat about all this, however. For FileMaker Server reliably and effectively to accomplish its various tasks, it must be deployed correctly, configured correctly, and managed correctly.

There are a number of new features in FileMaker Server 12; likewise there are some very significant changes in the way long-standing features function. It is very important for all FileMaker devel­opers and all IT Administrators with FileMaker Server responsibilities to be aware of these in order correctly and safely to deploy the new version of FileMaker Server.

Wim Decorte and I are pleased to present a series of Technical Narratives that discuss a variety of these topics in some depth and detail.

FileMaker® Server 12 Overview

FileMaker® Server 12 Remote Containers

FileMaker® Server 12 New SSL Features

FileMaker® Server 12 Processes

FileMaker® Server 12 Cache

FileMaker® Server 12 Backups

PDF’s of these papers are attached to this BLOG post as an archive. Simply save the Archive by clicking on the file icon and extract the Narratives. Start with the one titled Overview.

 

Steven H. Blackwell

Platinum Member Emeritus, FileMaker Business Alliance

 

FileMakerServer12_Narratives.zip

Steven H. Blackwell

Aligning FileMaker Security Requirements To Business Interests

 

March 29th 2016

 

There has been a considerable amount of discussion recently in various FileMaker Platform venues about database security.  Much of the discussion has focused on the use of one technique or another, and most of those techniques actually detract from the security of FileMaker systems rather than enhance security.

Absent from these discussions, however, has been any description of first instance reasons for having security features in place in the FileMaker Platform. This BLOG entry will discuss the relationship between business interests and security requirements. Developers and administrators must assure that they have properly aligned security requirements with business interests. Generally speaking, we are seeking to assure the Confidentiality, Integrity, Availability, and Resilience (CIAR) of digital assets and supporting physical assets in the organization.

First and foremost, businesses and organizations of most every type have an interest in business continuity.  That is, they have an interest in remaining in business, and in being able to continue to function to perform their missions, all in the face of some natural or man-made interruption.  That includes cyber-attacks of varying types; but, such attacks are not the only potential interruption that can cause an organization to cease operations, either temporarily or permanently.

Physical damage to IT technology hardware whether by cyber-attack, flood, fire, tornado, building collapse, or similar disaster is one likely cause of business interruption and continuity failure. So is a new phenomenon:  the ransom-ware attack.  These attacks encrypt the entire data infrastructure of an organization with the attackers demanding a ransom to decrypt the data and release the underlying information back to the organization.

Business continuity can also fail as the result of the loss of customer or client confidence in the organization resulting from a data breach or data exfiltration. Additionally, if attackers were to damage or to delete significant portions of the organization’s data, the organization may not be able to continue in operation.

All these business continuity imperatives argue strongly for robust steps to preserve CIAR and to allow the organization to continue to function post-attack or post-disaster.

Regulatory compliance requirements related to data privacy and avoidance of the associated penalties for non-compliance are another key business interest for most organizations.  At international, national, and state levels, there are a variety of statutory and regulatory requirements for safeguarding data against breaches, for notifying affected individuals of breaches, and for post-breach monitoring and management. An organization’s compliance failure can subject it to civil and criminal penalties, including substantial fines. Clearly, any organization, irrespective of structure or mission, wants to avoid these potential penalties.

Organization brand reputation is another key business requirement needing safeguarding. The negative publicity that follows in the wake of a breach as well as the impact and burden of remediation for those whose data are compromised can seriously, if not permanently, tarnish the reputation that an organization has often worked years to achieve. Lost of customer or client confidence, loss of members’ confidence for professional and trade associations, and degradation of analyst and media opinion can all rapidly sink any organization.

Many FileMaker Platform customers and clients are small to medium-size businesses.  They frequently have fewer resources to combat the after-effects of CIAR loss. They are the ones most likely to suffer failure of business continuity and to be driven out of business by severe attacks. Larger businesses can also experience negative effects as well; however, they may have more resources to be able to continue to function.

These are some of the business interest reasons for safeguarding FileMaker Platform systems.  They are the underlying primary reasons for designing and implementing robust CIAR security in FileMaker systems.  These are not the only reasons of course.  There can be others, notably protection of developer intellectual property. But the concepts of business continuity, regulatory compliance, and avoidance of civil liability are core reasons that drive security requirements.

Steven H. Blackwell

Steven H. Blackwell

The FileMaker Platform API’s Are Your Friends, Right?

The FileMaker Platform supports integration with a variety of Application Programming Interfaces (API’s), and it has done so for a very long time. These API’s allow FileMaker Platform developers to integrate their solutions with other technologies and applications. This is an incredibly useful capability; indeed, from both technological and business-process standpoints, it is essential.

Many FileMaker developers are not aware, however, that these API’s have the capability to access customer or client solutions in unexpected ways and to extract or insert data, to manipulate business processes developers embedded into these solutions, and to compromise the integrity of these solutions.  Correctly configured and appropriately granular Privilege Sets can control many of these behaviors. But developers must first understand what those behaviors are and then how to control them.

This FileMaker Security BLOG entry will identify a number of these API’s, will describe their use as attack vectors, and will point out some specific issues with several of the API’s. My hope and intent is to equip FileMaker Platform developers with the knowledge necessary to recognize these issues and to address them.

The FileMaker Platform utilizes a number of API’s:

  • Apple Events
  • Active X
  • WebDirect™
  • XML
  • PHP
  • Execute SQL
  • xdbc (ODBC and JDBC)
  • Plug-Ins
  • FMPURL
  • FileMaker Pro External File References and Data Sources

Many developers may be surprised by my including the FileMaker Pro application itself in the list of API’s. Yet, through use of its powerful capabilities to access data in other files and to trigger business-level processes such as scripts, the application is, in fact, an API to itself. This has significant impact from the security standpoint when the capability is misused and when one FileMaker Pro file functions as an attack vector on another FileMaker Pro file.

There are five significant actions an external API can undertake to perform on a FileMaker Pro file.  Not every API can perform all these tasks; however, each can perform at least one of them. What are those actions?

  • Read and extract data
  • Write data
  • Read and extract metadata
  • Manipulate the User Interface
  • Trigger FileMaker Scripts

What are some of the types of attacks these API’s can facilitate?  And, more importantly, how can developers ameliorate the adverse impact of such attacks and perhaps prevent them in the first instance?

One category of attack centers on manipulation of the User Interface to send the attacker to a layout in the file the developer never intended to have exposed.  This is one of the inherent dangers that so-called “Developer” layouts present.  Unless a layout enjoys access protection in the Privilege Set attached to the active Account, the Attacker can navigate to it and observe anything shown on it.

Another category of attack deals with reading and extracting data from a table.  Some API’s can perform this task and even write out the data to another application such as Excel or Microsoft Word. In other instances, an attack can cause an export of data from a file.

Still another category of attack involves the triggering of scripts in a manner developers did not anticipate or intend. Generally speaking, if a script is either modifiable or (more commonly) executable to the active Account’s Privilege Set, then the Attacker can invoke the script. Developers must carefully consider the conditions under which a script runs. Scripts that re-log into the solution with elevated privileges without a credentials challenge are especially attractive targets for attackers. The script does not have to appear in the Scripts menu or be attached to an object on a layout to be vulnerable to such an attack. Its mere existence in the file in an unprotected state is sufficient to render it vulnerable.

Some API’s can extract metadata from a file.  Some metadata, such as a list of items in a value list, might also reveal data at the table level. Additionally, the metadata item might be a list of the Layout names in a file.  An attacker could use this information to attempt navigation to a particular layout such as the “Developer” layout previously mentioned. Similarly, metadata might reveal a list of Script names; this could facilitate an attack on a selected script.

There are three API’s that cause particular concern because of their breadth and relative ease of use.  These three are Apple Events, the FMPURL process, and FileMaker Pro files themselves.

The Apple Events Suite has an extensive set of commands that can read and write data, read metadata, manipulate the UI, and trigger scripts. In addition, they can work outside the normal constraints found on layouts in a file. http://thefmkb.com/5671

The FMPURL process (that is described at https://www.filemaker.com/help/14/fmp/en/html/sharing_data.17.6.html can open a file and run a script in it.  If the file is already open, then the script will still run.

A FileMaker Pro file can also read and write data in another FileMaker Pro file.  That is a commonly used process.  But such files can also run scripts, manipulate the UI, extract data, and extract metadata from other files.  If the target files are not protected, they are vulnerable to these type actions. This is a more subtle process than might first be observed.  A number of Privilege Set bits apply only to the file in which they are defined; they may work differently when called externally from another FileMaker Pro file.

So, how can a FileMaker Platform developer address these issues and protect a FileMaker Platform solution?  There are several key steps developers should take:

Invoke File Access Protection.  This prevents unauthorized references by external rogue files an attacker might create. FileMaker, Inc. introduced this feature to the Platform in version 11. At that time I authored a White Paper fully describing this feature. The White Paper can be found at the following location: http://www.fmpug.com/resources/security_schema_changes_filemaker_11

Tightly define Privilege Sets so as to block access to elements that need protecting. Items marked as «No Access» do not respond to External API calls as a general rule.

Take steps to prevent automatic access to files without credentials. In most instances developers should prevent auto-opening of files, especially at higher levels of privilege.  Once opened, such files can become vulnerable to attacks using the API’s. They can also be used to attack other FileMaker Pro files. I discussed some aspects of this two years ago in a post on this BLOG 

Do not enable any API’s not needed in a file. This includes such items as XML, PHP, and xdbc.  Strictly speaking, WebDirect™ perhaps is not actually an API; however, developers should not enable it either if it is not needed.

In this BLOG post, I have enumerated a number of FileMaker Platform External API’s and described how a Threat Agent (Attacker) might use them as a vector to compromise FileMaker Platform solutions.  I have also enumerated some specific attacks.  And I have provided several recommendations for protecting the files and lessening the likelihood of a successful attack.

Steven H. Blackwell

 

Steven H. Blackwell

I have recently learned that there may be any number of FileMaker Server installations world-wide that are hosting files that open automatically without credentials challenge to the [Full Access] Privilege Set. The default-installed FileMaker Server Sample File is one of these; however, there are others.

This is not such a good practice. Such files offer an attractive attack vector that a Threat Agent can use to inflict damage on the FileMaker Server machine or on its hosted files. If a Threat Agent can locate the server and access it, an attack can occur using these files.

Most attacks occur when a Threat Agent utilizes some vulnerability to mount an exploit that has some negative impact on the Confidentiality, Integrity, or Availability (CIA) of a digital asset such as a FileMaker Pro database. To that we must now add that the exploit can adversely impact the Resilience of the database system as well. We measure that negative impact of an attack along a continuum ranging from Limited to Serious to Severe to Catastrophic. In managing security in FileMaker database systems, we work to block Threat Agents, to close vulnerabilities, and to mitigate the negative impact of an attack.

I would therefore strongly recommend the following actions:

  1. If you do not need the FileMaker Server Sample File, then remove it from your server. If you do need it, give it credentials or have it open to a restricted privilege level.
  2. If you have other files that open without challenge to [Full Access] privileges, then change that process to require credentials or, at the least, to open to a restricted level of privileges.
  3. Periodically review the FileMaker Server Access Log to see if it contains evidence of unusual or unexpected access to the server. Of course, for that to work, you must enable this log in the FileMaker Server Admin Console.

It is my view that in the FileMaker community we have a responsibility to one another to help each other maintain safe systems, to avoid and to prevent attacks, and to block Threat Agents. I will continue to advise the community of security-related items from time to time.

Steven H. Blackwell

Steven H. Blackwell

External Server Authentication and [Full Access] Privileges…

Life (or FileMaker) May Not Be What At First It Seems

-By-

Steven H. Blackwell

Someone recently advised me about a discussion on a FileMaker List that focused on the supposed ability of a user with an Account authenticated by External Server Authentication and attached to the [Full Access] Privilege Set to make changes in a hosted file’s security schema. (Technically this is a Group, not an Account, but we’ll call it an Account here for sake of simplicity.)

If someone has actually done this, we need to learn the circumstances under which it happened including the versions both of FileMaker Pro and of FileMaker Server as well as the OS of the machines running FileMaker Server and FileMaker Pro. Such a capability would represent a significant security vulnerability.

I set out to investigate this report and whether such an action could actually have occurred, and whether I could duplicate the reported behavior. Bottom line: the answer is No. But the scenarios I discovered were interesting and somewhat unexpected.

I want to thank long time FileMaker developer and technical expert Darren L. Terry of Pacific Data Management in San Jose, California, for his assistance in running this issue to ground. Darren, who was once described on a FileMaker List as being “…worth [his] weight in rum…” hit on the first major important clue required to answer this question.

The report I got was that a user with a [Full Access] Account that was externally authenticated by FileMaker Server had been able to log onto a hosted file and change items in the security settings. I doubted that claim.

Here is what should happen, and is actually supposed to happen, in these circumstances. If a user with an Account with [Full Access] privileges that was externally authenticated opens a hosted file, that user will have access to the Manage Security… functionality. The user of this Account can view the names of other Accounts and of External Groups. The user of this Account can also view the items in any of the Privilege Sets in the file.

When the user of the Account makes changes in any of the other Accounts or Groups or in any of the Privilege Sets, they may appear to be changed. However, these changes are not committed until the user exits the Manage Security… area.

Upon exiting, the user will be presented with a credentials challenge similar to this one:

blogentry-51827-0-19267200-1328980851_th

Now, if the user enters the [Full Access] Account credentials that were externally authenticated, an error message similar to this one should appear:

blogentry-51827-0-90775000-1328980856_th

In other words, an externally authenticated Account with [Full Access] privileges should not be able to change and commit Security settings. To do otherwise would be a violation of several core Principles of Security including Segregation of Duties/Separation of Duties, Rule of Least Privileges, etc.

Here is an important caveat and warning: For a variety of reasons, externally authenticated Accounts ought not be assigned to the [Full Access] Privilege Set. If a physical copy of a file were to be obtained, the External Groups could possibly be spoofed, granting unrestricted access to the file.

Nevertheless, if someone ignores that advice and does assign [Full Access] privileges to an external Account, attempts to make changes in the security schema should produce the results described above, namely the invalid password challenge.

Yet, the report was that a user had been able to change the security settings. I considered one way this might have appeared to have happened.

If a user had entered the Manage Security… area and made some changes but then cancelled them before attempting to exit the Security area and commit them, such a user might understandably believe he or she had been able to make the changes. So if the user did not want the apparent changes to take effect, the user would cancel out of the event. This was a possible explanation.

Darren Terry then provided an important clue: suppose there were duplicate Accounts, one internal and one external, with identical Account names and passwords. What would happen then? FileMaker Pro blocks creation of identically named Accounts in the same file; Account names must be unique. (Interestingly, passwords do not have to be unique; however developers should work on an assumption that they are required to be so.) But in this instance, since one Account was internal and the other external, there is no way to flag identical items.

So, in testing this scenario on a hosted file with identical [Full Access] Accounts, one internal and the other external, I was able to log onto the file with the external Account. I could identify that this was the external Account by placing it higher in the Authentication Order List than the identical internal Account. I made changes in the Privilege Sets and then sought to exit the file. I was presented with the Confirm Full Access Login credentials challenge (as shown above), entered the credentials, and exited the Security area successfully.

Thus it did appear that I had used the externally authenticated [Full Access] Account to change the security settings in the file. But this appearance is deceptive; that is not what actually happened.

When FileMaker Pro sought to evaluate the credentials I supplied, it first examined the externally authenticated one that was higher in the Authentication Order List. It rejected that Account, and moved to the next one in the list. That was the internal [Full Access] Account; that Account was accepted. I confirmed this behavior by disabling the internal Account. That produced the error shown at the start of this BLOG post. Re-enabling the internal Account produced a successful exit from the Manage Security… area of the file.

Positioning in the Authentication Order List is not a controlling factor for this scenario. Placing the internal Account higher in the list, logging in to the file, and then disabling that Account produced the same unsuccessful result. That happened despite the presence of the identical external Account.

So, in summary, here are the key points to remember:

  1. Don’t use External Server Authentication for a [Full Access] Account (technically a Group) in a file.

  2. If you choose to ignore this advice, you cannot commit changes to the Security schema with that externally authenticated [Full Access] Account. Such changes require an internally authenticated [Full Access] Account.

  3. Darren Terry is still worth his weight in rum.
Steven H. Blackwell

Welcome to the first posting to my new FileMaker Security blog. From time to time, I’ll be discussing issues of significance and importance related to FileMaker Pro and FileMaker Server security. In all these discussions I will keep foremost the concept that security is supposed to be focused on the preservation of the Confidentiality, Integrity, and Availability (CIA) of digital assets, and sometime of physical ones.

This first posting will focus on issues related to cloud computing security for FileMaker Pro. The cloud is all the rage these days. Yet despite that high level of interest, cloud computing, especially in the FileMaker world, is poorly understood and confused with other elements to which it has no real relationship.

Gartner has estimated that some 60% of organizations are currently actively considering cloud computing. These organizations are eager to take advantage of the elasticity, scalability, and cost benefits that cloud computing offers.

Despite these benefits and despite the interest in cloud computing that organizations express, there are some serious caveats and reservations about taking an organization’s information assets and putting them into the cloud. If a data owner wants to employ the cloud, it must make serious efforts to guarantee trust, security, and control in cloud environments. Otherwise, its digital assets are at serious risk for having their Confidentiality, Integrity, and Availability breached.

At the 2010 RSA Security Conference in San Francisco, Phil Dunkleberger, President of PGP Computing, a leading information security industry company, offered the prescient and discerning observation that despite all the advantages the cloud might be able to offer, people are not flocking to the cloud and likely will not be doing so. Why? They don’t trust the cloud, he said. And there is good reason for their not trusting it.

FileMaker Pro solution developers and IT personnel administering FileMaker servers hosting those solutions need to take special care to be aware of these items. First, and foremost, there is no real “cloud computing” to speak of in the FileMaker world. Merely having remote hosting of FileMaker Pro databases on virtual or physical servers offered by some service provider somewhere outside the organization’s work locations does not, by any means, constitute Software as a Service (SaaS), Hardware as a Service (HaaS), or Platform as a Service (PaaS). SaaS, HaaS, and PaaS are the core elements of cloud computing.

Notwithstanding this however, there are any number of lessons and strictures drawn from cloud computing that can be applied to remote hosting of FileMaker databases. There are a variety of core questions for the owners of FileMaker Pro databases to ask about remote hosting, starting with “Why do you want to do this?” Usual answers include such elements as lack of organization expertise about FileMaker Server administration and configuration and desire to provide 24/7 monitoring of the servers. Good answers perhaps, but organizations may want to ask what other reasons they have for wanting remote hosting. And then they also will want to ask whether the risks associated both with the cloud and with remote hosting outweigh the benefits provided.

So here are a few core questions owners and administrators of FileMaker Pro databases may want to ask. There has been a lot of information in recent months published in various White Papers and Podcasts and offered at the 2011 RSA Security Conference about these concerns. Interested readers may want to explore these resources further, inasmuch as this is by no means a comprehensive list.

1. How are data protected, isolated, and shared? Whether you have trade secrets or commercial processes, or confidential organizational information about finances, customers/clients, or your own personnel information stored in your database, how are you going to protect these data once they go to a remote location. Not only that, but how are you going to assure data availability and integrity as well?

2. How will you address the loss of perimeter based controls present in the local enterprise? Remote sites likely will bypass organization security policies and procedures your organization has in place.

3. How will you address the challenges of multiple users’ sharing of common resources? These multi-tenancy issues can be especially difficult. How do you assure that some other organization that is also using the same provider or the same server hardware as you are isn’t able to access or to view your data? In other words, how safe is a multi-tenancy arrangement? How are the risks of using it going to be managed?

4. Who has responsibility for compliance with regulatory and statutory items related to any customer/client/member data that are stored in the database? Generally, such responsibility remains with organization that owns the data. It cannot for the most part be transferred to the provider. Significantly, if there is a breach, who bears responsibility and liability? Whose insurance covers this liability, partially or (not likely) fully?

5. What are the applicable laws governing access to the data housed at the remote site? These likely will vary according to the jurisdiction where the data actually are housed. Those laws in different jurisdictions will not be the same necessarily as are the laws where the organization itself operates or where it is legally registered and/or incorporated.

6. As the owner of the data, do you know what the scope of the protection is for the data that the provider is obligated to provide? What conditions govern the use and disclosure of data? And presuming such provider safeguards are identified or promised (even contractually), how does the owner of the data monitor the provider’s safeguards? And if shortcomings are detected, what is the responsibility of the provider to undertake any remedial action identified through such an audit process?

7. Who bears the cost of dealing with any breaches currently estimated at $204 per record?

8. Finally, if the arrangement with the remote provider collapses (for any number of reasons), how does the owner of the data terminate its relationship with provider and recover all its data and all its backups, and leave no copies of the data behind at the remote hosting site?

As a practical matter most providers will not have protections in place, and that increases the liability of the owners of the data. And so, despite the benefits of both cloud computing and remote hosting, data owners need to ask themselves whether a variety of risks associated both with the cloud and with remote hosting outweigh the benefits provided. They will want to ask how to guarantee and maintain trust, security, and control in these environments. I look forward to further discussion of these items in the FileMaker community.

Steven H. Blackwell

Steven H. Blackwell

 

 

FileMaker Server 12 BackUps Frequently Asked Questions

 

 

FileMaker® Server 12 has a number of new features for creating backups of databases it hosts.

 

As evidenced by questions raised at the 2012 DevCon and as evidenced by a number of items posted on various FileMaker lists, there is a good deal of confusion still about how the new backup system works.

 

Wim Decorte and I have authored a short set of Frequently Asked Questions along with their answers about this topic. You can download the attached PDF that contains this information.

 

Among the questions we address are these:

 

How have backups changed in FileMaker® Server 12?

 

I want to schedule an incremental or progressive backup. But I can’t find where that is done? How do I schedule this?

 

I need to restore from the last backup. But I get an error message when I try to open the backup file directly in FileMaker Pro or host it on FileMaker Server. Are my backups broken?

 

Where does FileMaker Server put the actual backup copies it creates?

 

We hope the answers to these and to other FAQ’s about FileMaker Server 12 backups will assist the developer community and IT Administrators with FileMaker responsibilities to understand how the new systems work and how to employ them effectively.

 

Steven H. Blackwell

 

Click on the attached PDF to download the document.

FMSBackUpsFAQ.pdf

September 12th 2012

Steven H. Blackwell

FMI Security Webinar

On February 11th FileMaker, Inc. presented two webinars on FileMaker Platform Security. I am highly gratified that FileMaker, Inc. did this. These webinars, conducted by Consulting Systems Engineer Rosemary Tietge, clearly laid out the case for following Best Practices for securing files and their data across all elements of the FileMaker Platform.

I want to expand on a number of recommendations about enhancing FileMaker file security from those webinars. By way of reminder from information in a previous FileMaker Security Blog post (http://fmforums.com/forum/blog/13/entry-600-assessing-threats-vulnerabilities-and-risks-to-filemaker-pro-databases/) our focus in security is to close vulnerabilities that a Threat Agent might employ to compromise the Confidentiality, Integrity, or Availability of the database. The webinars focused largely on closing some of those vulnerabilities.

First, developers secure their files against attacks by using the security features found across the platform, not by manipulating the User Interface or by adding their own contrivances.

Second, when creating a new file, developers should add a password to the [Full Access] Account FileMaker Pro automatically provides when creating a new file. Concurrently with this step, developers should remove the automatic log-in to the file using the default Account with the blank password. Failure to do so renders the file vulnerable to attack once it is hosted by FileMaker Server.

Third, there is this corollary to the point about the automatic log-in and default credentials. When developers or administrators deploy FileMaker Server, in many instances the sample file that comes with FileMaker Server is left on the server. Developers or administrators should remove this file with its automatic log-in unless there is some compelling need for it to remain. If it does remain, the Privilege Set of any automatic log-in should be a subordinate and restricted one. This file, if left unattended and unaltered, provides a direct attack vector to the FileMaker Server system. The webinars did not expressly address this item; however, it is a logical follow-on to the default credentials issue.

Fourth, developers should design a customized Privilege Set for each group of persons who will access the file and who will need to work in the file. Specific, individualized Accounts then link to this Privilege Set, and those Privilege Sets define the actions a user can and cannot take. Because FileMaker Pro follows the Rule of Least Privileges, as a general condition, the privilege bits for a given Privilege Set are turned off or set to their most restrictive level. Developers then must explicitly grant privileges for each Privilege Set. This helps assure a high level of security for the file.

Fifth, FileMaker® Pro 11 introduced a new security item: File Access Protection. Developers should control external file access to their solutions by employing the controls found in File Access Protection. This system establishes a mutual trust relationship among various files to prevent other, outside of the trust relationship, files from accessing data, schema, and other elements in a targeted file. Failure to employ this feature leaves a major vulnerability in a FileMaker Pro file.

Sixth, in conjunction with a file’s being hosted by FileMaker Server, developers and administrators should employ the Encryption In Transit feature of FileMaker Server to assure that data transferred between FileMaker Server and various clients, such as FileMaker GO and FileMaker Pro, are not susceptible to reading if intercepted.

Seventh, and new in FileMaker® Pro 13, developers should employ the Encryption At Rest feature to protect both the file and the data in it. FileMaker® Server 13 has the explicit capability to host such encrypted files and to provide seamless access to them from a variety of clients.

As a corollary to this item, the Encryption At Rest feature is no better nor any stronger than the Encryption Password a developer must create when encrypting the file. FileMaker® Pro 13 Advanced, required for this feature, will provide an analysis of Encryption Password strength, reporting Weak, Moderate, or Strong as a result. I emphatically urge the use of only Strong Encryption Passwords. Such level of strength is a result, not merely of length, but also of complexity and randomness. Thus, in some cases, a shorter Encryption Password may be stronger than a longer one. FileMaker Pro 13 Advanced will report the Encryption Password strength to you.

Finally, too often, in too many instances, developers believe they can enhance or refine the security schema and add various supposed “security features” to their files. This occurs both for vertical market solutions and for custom developed ones as well. In over two decades of working with elements of the FileMaker Platform, I can say that I have never encountered any of these enhancements that actually strengthened file security. In almost every instance, these “security features” detracted from file security, often by providing additional attack vectors into the file or into its data.

In coming weeks, I will be having a good deal more to say about these items and other issues related to FileMaker Platform security.

--

Steven H. Blackwell

Steven H. Blackwell

Unskilled and Unaware

Nearly fourteen years ago two Cornell University psychologists authored a definitive study titled Unskilled and Unaware of It. Their core thesis was that persons who were unskilled in any number of domains suffered a dual burden. They reach erroneous conclusions and make incorrect and unfortunate choices on the one hand. And second, their lack of knowledge and competence robs them of the ability to recognize their errors. They are incorrect; yet, they believe that they are correct, and they are unaware of their errors.

In the broader FileMaker community and among significant portions of the broadly-defined FileMaker developer community, this unfortunate set of circumstances manifests itself most vividly in the two areas of FileMaker Server and FileMaker Security.

There are many excellent and creative developers who are providing software development services to internal and external clients on seven continents. The solutions they create solve a vast array of business management problems, allow companies or organizations to grow and better to serve their clients and customers, and streamline organization operations.

A line, seemingly and paradoxically both vivid and yet hidden at the same time, separates these developers from those also having an effective knowledge of FileMaker Server and a clear understanding of how different an environment FileMaker Server is than what FileMaker Pro is. That effective knowledge also allows those developers to offer a stable and secure deployment platform on which their solutions can be run for maximum effectiveness.

There is a considerable body of material extant about FileMaker Server, and most of it is both good and useful. But there is not too much information available about how different it is than the development environment that characterizes FileMaker Pro Advanced or the client consumption environments of FileMaker Pro, FileMaker GO, or the various web publishing options, not to mention such elements as ODBC or JDBC connectivity.

The server environment is poised in my view to increase its significance and importance, not to mention its ubiquity. Thus, it is an absolute necessity that FileMaker professionals significantly increase their knowledge levels about the environments in which the Server products work as well as their knowledge about how the Server products do their work. The developer community, and the customer/client community, must acquire the understanding and the skills to overcome the burdens of being unskilled and unaware.

In 2013, I will be focusing on promoting the goal of achieving that understanding along with the parallel and related one of overcoming a similar lack of understanding and awareness about FileMaker security items.

To begin the discussion about FileMaker Server, I would point out a few key items:

1. The purpose of FileMaker Server is to provide safe, secure, reliable, and consistently available access to data and business processes housed in database files.

2. The purpose of the server hardware housing FileMaker Server is to facilitate and to enhance FileMaker Server’s ability to achieve its core objectives. The same is true for the operating system that runs the hardware.

3. A server environment is different than and distinct from a workstation’s development environment or a client usage environment. It has its own constraints, requirements, tools and sound operating principles.

As a first step towards gaining more understanding about FileMaker Server, I recommend a review of the FileMaker Server 12 video tutorials by our leading industry expert Wim Decorte found at:

VTC Server Videos

Steven H. Blackwell

The original study by the two Cornell scholars:

Justin Kruger and David Dunning;

Unskilled and Unaware of It: How Difficulties in Recognizing One's Own

Incompetence Lead to Inflated Self-Assessments (Journal of Personality and Social Psychology,

1999, Vol. 77, No. 6. 121-1134)

Steven H. Blackwell

July 26th 2011

Did You Hear What I Said?

By

Steven H. Blackwell

News media on both sides of the Atlantic were all agog last week over the alleged hacking of cellular phone voice mail accounts of politicians and crime victims by reporters of the now defunct News of the World tabloid. These are serious matters, and much of the coverage has been appropriately professional. Other media coverage however can be characterized in my view as lurid and as having an undertone of “Look what we caught the other guy doing!”

Irrespective of the tone of the coverage however, there has been very little coverage or explanation of how relatively easy it was to access these voicemail accounts. One American media outlet WNYC [
] and noted security blogger Brian Krebs [
] have both explored this issue in some detail. Both point to the relative ease with which these voicemails were accessed.

All of this brings me to the key point I want to make in this posting: namely that wireless networks are frequently completed unsecured and wide open for eavesdropping. It has now been ten years since I cautioned about this vulnerability in a presentation at the 2001 DevCon in Orlando, Florida. This vulnerability is even more widespread today than it was decade ago. While this is distinct from unsecured cellular voice mail accounts, the underlying concepts are the same.

Wireless Internet access in public areas is now widespread. Whether it’s coffee shops, restaurants and cafes, airports, hotel lobbies, or even public streets and parks, wireless Internet access is pervasive, readily accessible, and almost expected as a matter of course. And it’s just as accessible to someone who wants to snoop on what you’re sending over the Internet as it is to you. An eavesdropper’s reading your email, both inbound and outbound, is easy. Capturing your email log-on credentials, or credentials to organization file servers or web sites, or passwords to on-line financial accounts can be easily done if your access methods or the network you are using isn’t protected.

Moreover, such unprotected networks offer access points to unprotected shares and to unprotected hosted FileMaker files (on FileMaker Server) that might be present on machines connected to the network. Even if protected, if credentials for these are obtained, or if they are easily guessed, contents of the share or hosted files may be at risk. Additionally, unscrupulous persons might be able to introduce malware onto these machines.

All of this of course could include many of the wireless networks likely to be found at the upcoming 16
th
FileMaker DevCon in San Diego. Wireless networks in the hotel public areas as well as in the conference functions areas, networks that may be accessible in physically adjacent nearby buildings, and any point-to-point networks that might be created using the public switched telephone network from someone’s laptop all furnish avenues of access.

So when using wireless networks ask yourself who might be affirmatively able to answer the question “
Did You Hear What I Said?”
Use VPN’s or SSL or HTTPS sites to access emails or on-line sites to lessen the likelihood of someone’s monitoring your transmissions. If accessing remote networks, consider using two-factor authentication methods. Do not presume that no one is eavesdropping, because someone can be.

It is perfectly possible using readily available and inexpensive software programs for someone with a laptop computer to be outside the DevCon Exhibit Hall during lunch, or outside a session meeting room, or on the hotel terrace by the pool and capture the target IP address, account names, and passwords that
others are transmitting
on whatever network everyone happens to be using.

As with all security questions there are always balances to be achieved. We trade confidentiality in some instances for the convenience of ready accessibility. If so, let’s make that an informed choice, not an inadvertent one.
Steven H. Blackwell

A Different Perspective On Recently Released

FileMaker, Inc. How To Paper

Regarding External Authentication Configuration

By

Wim Decorte

and

Steven H. Blackwell

I am pleased to have as co-author of this BLOG posting the renown and exceptionally highly regarded “developer’s developer” Wim Decorte.

FileMaker, Inc. recently published a FileMaker How To article entitled Replicating an External Authentication Environment for Development authored by developers at Skeleton Key in St. Louis, Missouri.

A copy of the Skeleton Key article can be found on their website here:

http://www.skeletonkey.com/blog/replicate_an_externally_authenticated_production_environment

This is an interesting paper, and it deserves a review by FileMaker developers, both independent and corporate. It reminds us that servers do have local Security Groups and Accounts. In fact, such Groups and Accounts are widely used for External Server Authentication purposes in a variety of small to medium sized enterprises as well as in workgroups of larger ones. The fact that FileMaker External Authentication can work with local accounts and groups in the OS on the FileMaker Server machine itself is often overlooked, so the article serves a good purpose in this respect.

Notwithstanding this, however, we have significant concerns and reservations about the underlying premise of this paper as well as some of the specific techniques it recommends and describes. We have elected to share these with the FileMaker developer community because of the official FileMaker, Inc. imprimatur on this paper and because of our genuine respect for the developer team at Skeleton Key. Developers will see and read this paper, authored by a well-known and respected company and issued by FileMaker, Inc., and perhaps not be aware of a number of additional considerations.

The paper states at the outset its principal purpose (emphasis supplied):

Imagine you are an outside developer for a large company. You are building a mission-critical FileMaker system – a large solution with several different privilege sets that require careful testing and tuning. Their IT team has mandated that FileMaker Server must authenticate users externally. You want to make sure the solution’s security setup will work well with multiple users and that once deployed it will properly interact with the customer’s Active or Open Directory environment. As their dedicated developer you have been given access to the company’s FileMaker Server and files, but as an outside consultant you do not have access to make changes to their network directory or services. How can you fully configure and test the security of your FileMaker system before the actual deployment in their production environment?

In our view this underlying assumption of the paper is invalid. There is no need to construct a system of External Accounts to “…fully configure and test…” the system’s security. The effect of restrictions held in privilege sets can be tested with regular internal FileMaker accounts.

The only reason to set up a system of External Authentication would be test the mechanics of the authentication process, not the restrictions of a user’s role.

The paper’s underlying assumption and the subsequent recommendations confuse and conflate Identity and Access Management (who are you?) with Role Based Privileges (what are you allowed to do?). Through its Privilege Set definitions, FileMaker Pro enforces a set of conditions for each Account attached to that specific Privilege Set. Accounts attached to a Privilege Set all enjoy, for the most part,[1] a common set of privileges in tables and files. By default, all privileges are denied; developers must specifically enable each. This is in keeping with the Rule of Least Privileges that mandates a user have all the privileges needed for his or her role, but no more privileges than the ones needed.

Role Based Privileges form one part of the FileMaker security schema. The other part is Identity and Access Management (I&AM). I&AM is used to authenticate users seeking access to the database system. It answers two related questions: “Who are you?” and “Are you whom you claim to be?” Once these two questions are successfully answered, the user is granted access to the database system with the Role Based Privileges defined in the Privilege Set to which the Account is attached.

FileMaker can perform I&AM functions either with internal FileMaker accounts or with External Server Accounts. In either regard, the result is the same: if the user is properly authenticated and deemed to be an authorized user, that user gets the privileges associated with the Account accessing the file. Thus, there is no need to construct a “development” environment using External Server Accounts to, in the paper’s phrasing, “…test the security of your FileMaker system before the actual deployment in their production environment….” An internal FileMaker account works just as well for this purpose. Two different Accounts, one internal and the other External, attached to the same Privilege Set will enjoy exactly the same set of privileges when the user is connected to the file. FileMaker, Inc. has taken specific steps over the past several versions to assure this.

—Beyond Fundamentals—

Beyond this fundamental item, there are also a number of other elements in the paper that concern us. The page number references are to pages in the paper.

Better access control (page 1). While indeed this is an advantage of External Server Authentication, this is a Domain level policy, and it will not be achieved through use of Local Security Group objects. Unless there are a great number of files in the FileMaker solution there is no real benefit in setting up this local External Authentication scheme, an internal FileMaker account will work for this purpose and is easier to set up.

What’s Needed? A local machine that is not bound to either an OD or an AD domain…(page 2). OSX and Windows work differently in this respect. Even if a Macintosh machine is bound to an Open Directory or Active Directory domain, FileMaker Server will always look to the Local Security Group first before it looks to the Domain Controller. So contrary to what is implied, the mechanism described in the paper will work when the OSX FileMaker Server machine is bound to either an AD or an OD domain. On Windows OS however, the server machine is either bound or not bound. When it is bound to an AD (is a member server of an AD domain) it will skip the local accounts and groups and always look for the domain accounts. While it is possible to force FileMaker Server to look first on the local machine when bound to an Active Directory domain, that is neither default nor standard behavior. But it is still possible to test local External Authentication when the Windows FileMaker Server is bound to an AD.

What’s Needed? FileMaker Server installed on your local machine…(page 2). We do not believe this is a good policy. We do not advocate running FileMaker Server and FileMaker Pro simultaneously on the same machine. We are aware that some developers do this and have FileMaker Pro become a guest of that FileMaker Server instance and access their files thereby. Especially if the external data source file reference is of the relative type, file:filename rather than the FileMaker network type, fmnet:/HostIP/filename, we believe there could be instances where files opened by relationships or scripts via Table Aliases on the Graph may not open as expected as a guest of FileMaker Server. Much more testing and some definitive declaration from FileMaker, Inc. Engineering are needed to determine actual FileMaker behavior in these circumstances.

Setting it up. You can replicate the relevant EA setup…(page 3). This is, at best, only partly correct. Local Security Groups do not behave in exactly the same fashion as Domain Groups. This is particularly true for Single Sign-On (SSO) which is only possible when a Windows OS workstation connects to a FileMaker Server on Windows Server and where the server is a member of the Active Directory Domain. Some developers fail to make a critical distinction between External Server Authentication and SSO. They are not the same. In the former, available for both Macintosh and Windows, the Account can be authenticated; however the user must enter credentials to access the file. Those credentials are then authenticated by the server after the user enters them. In SSO, however, the user does not have to enter credentials again to access the database once he or she is authenticated to the domain. [Note: on Macintosh SSO capabilities can be emulated to an extent by use of the KeyChain]. With Local Groups however, users must enter credentials to access the file; SSO is not operative (again with the KeyChain nuance). Thus, if the developer was expecting not to enter credentials, confusion may well ensue.

The other aspect is that the mechanics of authenticating against local accounts is different than authenticating against an OD or AD. There are factors that do not come into play with local authentication such as clock synchronization and lag time incurred by the physical distance between the FileMaker Server machine and the AD or OD machine. This translates into mimicking the EA setup, but not replicating it.

FileMaker Pro Login window (page 5) and Account in the ‘Production Coordinators’ Group (page 7). Mr. Richman’s account is styled differently here one place than the other (Mark Richman vs. mrichman). This may cause the process to fail. We believe the paper should have attempted to explain the difference to avoid confusion. On the Macintosh platform the short name is the one used by FileMaker Server and Open Directory, not the long name that is the more user recognizable one. Thus, an Account named Steven Blackwell will be reduced to the short form stevenblackwell. Note the absence of spaces and the use of all lowercase letters. When establishing Accounts on either platform, we recommend the use of all lowercase names without spaces. Likewise we recommend the use of a similar construct for the Group names, both on the server and in the file. (See contrary example at bottom of page 6). We also encourage the use of a construct similar to this one: fm_solutionname_groupname for this, inasmuch as it is easily and quickly identifiable both as a FileMaker Group in either AD or OD and as part of a specific solution.

Account in the ‘Production Coordinators’ Group (page 7). We note that the example given here for adding Accounts in OS X is utilizing the OS X client software, not the OS X Server software. While this is to be expected because the developer presumably is working on a client machine for development purposes, the UI and process on OS X Server may be somewhat different. Various versions of OS X Server have taken different approaches to this. The WorkGroup Manager however has been the utility most frequently used on the Server version to create Groups, create Accounts, and to assign Accounts to Groups. On Windows OS, the UI is more nearly identical between client and server versions.

In addition to the foregoing, there is at least one critical test the process described in the article cannot address. A key requirement for External Server Authentication, and a key point of failure in many such deployments, is a mismatch between the Group Name on the Server or on the Domain Controller and the Group Name in the FileMaker Pro file. They must match exactly. We previously offered a recommendation for the syntax of such names. To test how the system will work in the production environment, we recommend deployment of a test file configured with the Group names and set for External Server authentication, together with external Groups in the proper place. Users can then attempt to log into that file. A successful log-in can be made to create a new record with Account Name, workstation information, and Privilege Set name, all for developer review. Failed attempts will be logged by FileMaker Server if administrators enable proper logging. Additionally, obvious failures will manifest themselves to the user. When using such a file, be sure to disable auto-log-in options in the test file.

—Summary—

In summary then, we do not believe that the underlying premise of the paper is valid. There really is no need to have External Authentication to test the “security” of the file, inasmuch as the Privilege Sets will function identically irrespective of the authentication model. Additionally, we believe that some of the procedures described in the paper are insufficiently nuanced given distinctions between Domain authentication and Local Group authentication behaviors. Finally, the paper recommends a scenario regarding FileMaker Server and FileMaker Pro’s simultaneous use on the same machine that we do not believe is prudent. We welcome further discussion and debate within the developer community about these items.

[1] It is possible to make one Account attached to a given Privilege Set behave differently than other Accounts attached to the same Privilege Set do. But that is independent of the authentication model used.

Steven H. Blackwell

Some Vulnerabilities Associated With Ersatz Log-On Systems

 

October 29th 2015

 

My recent post [http://fmforums.com/blogs/entry/1410-new-paradigms-in-filemaker-platform-security/] on this BLOG about New Paradigms in FileMaker Platform Security has apparently occasioned a good deal of discussion in various FileMaker-related venues. Much of this reportedly has focused on the ersatz systems that I recommended be avoided. Many persons seem to have asserted that they use such systems for a variety of reasons.  And further, they proclaimed their belief that these systems were secure and immune to tampering.

Others have taken a different view, similar to my own, cautioning against the use of such systems.  Among the reasons they cited for that cautionary warning are unreliability of these systems and their susceptibility to tampering.

In this BLOG post, I am going to focus on some commonly-found characteristics of these ersatz systems and explore how an attacker might compromise them.

 

—Ersatz Systems—

Generally speaking these systems are directed towards one or both of two distinct processes: first, authentication; second, assignment of privileges in the database. The processes they employ usually start with an automated log-in to the system, usually at a self-described “low level of privileges.” What this actually means in terms of actual privileges remains to be seen on a case-by-case basis and varies among different systems.

Through the use of some process of identification of the user, a re-login occurs with an Account Name and Password unknown to the user and with a level of privileges attached to the unknown Account. That is to say, multiple users employ the same Account and Password to access the file; however, the individual user does not know either of the credentials’ items.

Furthermore, in some versions of these ersatz systems, privileges are also set by values in flag fields rather than through privilege bit elements in the Privilege Set.

 

—Compromising Ersatz Systems—

 

An attacker frequently can easily achieve a compromise of these ersatz systems, resulting in access at elevated levels of privilege. Unauthorized escalation of privileges is a common result of an attack. It is a circumstance we try to avoid wherever possible.

When a system automatically admits a user to the file without a challenge, two-thirds of the battle is already lost. The automatic initial log-on with the re-login by the unknown Account does just that.  The attacker is now in the file. As a result the attacker can now exploit any vulnerability not controlled by the developer.  And the developer likely cannot control every vulnerability. The attacker can now escalate his privileges, something (as mentioned) we try to prevent happening.

Even self-described low-level privileges associated with the automated log-on have certain capabilities. Otherwise, the ersatz system would not work. What are some of these capabilities and how might they be exploited?

First, the process that identifies the user and performs the re-login is in one of two different possible states.  It is either Paused or Not Paused depending on the scripted action that controls it.  If it is Paused, then the attacker can stop the Pause by any of several methods, most notably by external Application Program Interfaces (API’s). This means the attacker can cancel the paused state and return to a normal or unpaused state. The Allow User Abort [Off] functionality has no impact on this at all.  Pause can be stopped even if Allow User Abort is set to OFF.  Conversely, if the initial state of the process is Not Paused, the attacker can proceed to the next step.

Second, the attacker is now in the file and the file is in a normal state. The attacker can now activate the re-login process and gain privileges. Unless the re-login scripts are exceptionally well protected, the attacker can activate them by any of several different methods or a combination of methods:

         •External API’s

         •External references if the target file is not protected

•User Interface manipulation of the target file in some instances, depending on how the file is constructed.

What this means is that the re-logon process can be run without any reference whatsoever to the user’s name or other identifying information.  The attacker will now enjoy the privileges associated with the newly acquired Privilege Set. If the re-login process includes access to an Account with [Full Access] privileges, such as has been observed in a number of instances of these ersatz systems, then various serious consequences will ensue:

•Compromise of intellectual property

•Exfiltration of data

•Sabotage of data in the file surreptitiously or overtly

•Surreptitious extraction of [Full Access] Account name and password from the file. The amount of damage flowing from this can be exceptionally extensive, especially for widely-distributed commercial vertical market products.

•Surreptitious monitoring of file over time

 

—Flag Fields—

There is another set of circumstances that can happen associated with the flag fields that attempt to confer privileges.  If these are not exceptionally well-protected, the attacker can change their values, and thereby a low-level privilege coverts to a high-level privilege. Protection does not mean removing from the Layouts Menu the layouts where the flag fields might appear. Additionally, protection also does not mean keeping flag fields off of any layout whatsoever.

An attacker can manipulate the values in these flag fields by a variety of methods:

•External API’s

•External references if the target file is not protected

•UI manipulation of target file in some instances

We distinguish all of this from privileges the developer allows in the Privilege Sets in the file.  An attacker cannot manipulate such privileges in the same fashion as he could with the flag fields.

 

—Summary—

Avoid the use of ersatz log-on and privilege-granting systems. An attacker can interrupt and otherwise thwart the processes controlling the ersatz system. The attacker can manipulate data-based “privilege” flags and change their values. The attacker gains access and escalates privileges through these flawed processes. Ersatz systems detract from the real security a file needs.  Ersatz systems also impart a false sense of security about the files.  Use the tools FileMaker, Inc. gives you to protect the file.  Do not try to invent your own in almost any and every instance.

 

Steven H. Blackwell

 

ErsatzSystems.pdf

Steven H. Blackwell

Newest Version of FileMaker Platform

Brings Significant Major Security Enhancement

FileMaker, Inc. today released the latest version of its Platform: FileMaker® Pro 13, FileMaker® Pro 13 Advanced, FileMaker® Server 13, and FileMaker® GO 13.

This release brings many significant new features to the platform including the innovative FileMaker WebDirect™ client access. But to me the most significant enhancement is Encryption of Data at Rest (EAR). Addition of this critical and key functionality completes the FileMaker Platform Security Suite:





Identity and Access Management

Role-Based Privileges

File Access Protection

Encryption of Data in Transit

Encryption of Data at Rest

More so than ever in the past, today many different Threat Agents relentlessly attack an organization’s confidential and proprietary data and are eager to steal those data. Whether by direct attack on hosted databases, by unauthorized access to backups or other copies of database files, or by other attack vectors, these incursions place data at risk. This poses significant problems for organizations, significant business reputation damage, and significant legal liabilities.

With the introduction of the new version of the FileMaker Platform, developers, administrators, and end user clients or customers now have much stronger tools to protect their files and the data those files contain. But in order fully to benefit from this new feature, developers need to understand how it works and what it supposed to do.

How does this work? Using FileMaker Pro 13 Advanced and its Developer Tools, developers or administrators may now introduce industry-standard AES-256 encryption onto FileMaker Pro files. Once FileMaker Server 13 hosts these files, then this encryption is transparent to the end user who will continue to access the files by Account Name and Password as previously.

blogentry-57159-0-52256800-1386012637_th

Figure 1. Developer Tool option for file encryption.

This type of Encryption At Rest protects the physical file and its contents from a variety of attacks. As the name “At Rest” implies, this is basically when the file is closed or when an attack is directed at the physical file itself.

Developers and administrators must recognize some significant considerations when employing the new EAR feature. Here are a number of them:

1. The strength of the encryption is no better than the strength of the new Encryption Password used to encrypt the files. FileMaker Pro Advanced will report whether the Encryption Password is Weak, Moderate, or Strong. Use Strong passwords only.

blogentry-57159-0-72759000-1386012765_th


Figure 2. Password Quality Dialog. Use Strong Encryption Passwords.

What are the characteristics of a strong password? Certainly length of the password is one attribute. But length alone is insufficient. Shorter passwords in some cases can be stronger than longer ones. The principal determinant of strength is the entropy of the Encryption Password. Entropy is the measurement of uncertainty of a random variable. To achieve strong FileMaker encryption passwords, developers should utilize complex passwords or passphrases with a mixture of lower and upper case alphanumeric characters and high ASCII characters. The best minimum length is probably 14 characters.














2. Encryption with EAR is for the file itself, not for data as they flow across the network from FileMaker Server 13 to various FileMaker Pro clients, including the new WebDirect. Developers and Administrators should continue to use the SSL Encryption option provided in FileMaker Server 13 to protect data in transit. This setting is found in the Admin Console, under Database Server—Security—Require Secure connections as shown here.

blogentry-57159-0-02363000-1386012882_th

Figure 3. Continue to enable Encryption of Data in Transit in the FileMaker Server Admin Console as before. This is in addition to EAR.

3. Refer again to Figure 1, Developer Tool option for file encryption, and please note the text box with the Shared ID label. FileMaker Pro 13 Advanced will automatically enter a value here when the encryption process starts. That value is a simple timestamp; developers may wish to change that value to something else. The purpose of this value is to link a set of files together so that the opening process for those files does not require repeated entry of the Encryption Password.

Here is an important additional piece of information about the Shared ID. Should developers wish at some later time to add a file to a previously encrypted set of files, they must use the same Shared ID and Encryption Password as they did with the original set of files. Otherwise, there will be multiple requests for the Encryption Password.

Thus, safeguarding the Shared ID is important so that developers and administrators can properly and more easily administer encrypted file sets.

4. EAR does not take the place either of passwords or of access privileges as defined in the Privilege Set attached to the active Account. Developers must still employ these features to protect files and the data in them. EAR is not field level encryption; it does not block access to any specific field once a user opens the file. Use the settings in the Privilege Set to control user access to elements of the file.

5. EAR does not take the place of File Access Protection (introduced in FileMaker® Pro 11). Developers should still employ File Access Protection to help guard against Escalation of Privileges by otherwise authorized users or by others who manage to connect to the file. File Access Protection is enabled in the Manage Security section of the file.

blogentry-57159-0-91106400-1386012933_th

Figure 4. File Access Protection.

6. Developers and Administrators should take particular care to safeguard the Encryption Password for a file or group of files. If that information is lost, you will lose the ability to open the file. Loss of the Encryption Password effectively destroys the file. Additionally, the Encryption Password will be needed if developers ever wish to remove encryption from the file. There are several ways to manage retention of these Encryption Passwords, including storing them on an encrypted external device such as a thumb drive and then locking that device away in a secure place.

blogentry-57159-0-35722600-1386013028_th

Figure 5. Removing Encryption from a file requires knowledge of the Encryption Password.

All of which raises this key point about safeguarding the Encryption Passwords. If a Threat Agent, either from inside the organization or from outside of it, were to learn the Encryption Password, that Threat Agent might be able to remove the encryption from the file. So safeguard these Encryption Passwords.

There is one way to prevent the removal of encryption from a file. It is irreversible and permanent, so developers should use it only after exercising serious thought about possible ramifications. This is true even though the Developer Tool makes a copy of the file when it encrypts it, leaving the original intact. If the encrypted copy is put into production, it might not be possible later to extract data from the production copy to be re-introduced into another copy of the original file.


If, after encrypting the file, a developer uses the Tool also to remove the [Full Access] Accounts, then that file’s encryption is permanent. It cannot be removed, because a [Full Access] Account and password are no longer available. So exercise caution in this area.

In summary, FileMaker Pro 13 Advanced and FileMaker Server 13 bring new capability to protect files and their data with the introduction of industry standard Encryption At Rest. This new capability rounds out the Security Suite of the FileMaker Platform along with Identity and Access Management, Role-Based Security, File Access Protection, and Encryption of Data in Transit.

By employing EAR, developers and administrators of FileMaker systems can help to protect their hosted files, their backups, and any other copies of the files from a variety of attacks that will result in data loss.



For developers who support business areas with regulatory compliance requirements related to data confidentiality, the new EAR will make securing the file much easier. It can also provide increased confidence in the solution's ability to meet those regulatory requirements. For files containing sensitive, confidential, or proprietary data, I strongly recommend employing EAR. However, almost all business solutions need to protect their data; every developer should, therefore, employ the use of Encryption at Rest.




--


Steven H. Blackwell

Steven H. Blackwell

 

Protecting FileMaker Platform Business Solutions

FileMaker Platform developers and FileMaker Server Administrators, as well as business data owners, need to take a variety of steps to protect the Confidentiality, Integrity, Availability, and Resilience (CIAR) of their FileMaker Platform Business Solutions. Threat Agents of many varieties seek to exploit vulnerabilities that might exist in those solutions to compromise them, to steal data, to alter data, or to destroy data.

This FileMaker Security BLOG article will describe four key steps that developers and administrators can take to protect their files. Before listing those however, I want to describe an important caveat about such an approach to FileMaker platform security.

Security is never a case of “One and Done.” It is not a check list of things to do to files, and then they are and will remain secure. Business circumstances change.  We discover new vulnerabilities. Threat Agents perfect new attacks, some possibly exploiting so-called Zero Day vulnerabilities. Security is an on-going process in a constant state of flux. Maintaining security for business solutions requires constant monitoring and evaluation. All that said, however, here are four important considerations.  All employ tools that the FileMaker platform already gives us to help protect our files.

 

First. Use Granular Access Privileges. The FileMaker security schema allows for very specific privileges as well as for very broad ones.  For best protection and control, set the privileges and permissions for each Privilege Set very carefully.  For each business role, give the users in that role all the privileges they need for them to accomplish their business requirements.  But do not give them any added privileges.  This is called the Rule of Least Privileges, and it is fundamental to having correct security for your files.

This process may take a bit of work, and it requires you to know and to understand what users are supposed to be doing—and not doing—in the file. To do this you also need to know what permissions are on and which are off by default in each Privilege Set. When a developer creates a new Privilege Set in a file, most privileges bits are off or at their most restrictive settings by default. This is a correct and is a consistent behavior with the Rule of Lest privileges. One of the things a developer wants to achieve in working with the security schema is to prevent an otherwise authorized user from escalating his or her privileges and gaining a level of access above the prescribed one.

To that end, developers should most likely avoid in almost all situations the use of the two default subordinate level Privilege Sets: [Data Entry Only] and [Read-Only Access]. Both these contain privileges in excess of what their names suggest.  If you plan to use them, carefully review the actual privileges they grant to see if those are consistent with your security model.

 

Second. Invoke Encryption at Rest (EAR) on your files. This is a particularly important step; likewise, EAR offers particularly good protection, provided you use a strong encryption password.  FileMaker Pro will tell you the strength of the password: Weak, Moderate, or Strong. If someone gains access to a copy of your files by any of several attack vectors, EAR prevents their forcing the file open or employing any of the so-called “password crackers” on them.  Unauthorized possession of copies of files, including backup copies, is a particularly strong attack vector.  It is also an attack vector that Threat Agents frequently employ.

 

Third. Use File Access Protection to block manipulation of your files by other FileMaker Pro files you do not control. File Access Protection prevents unauthorized persons from pointing their files at yours and extracting, viewing, or manipulating information. 

An important part of effective file protection is understanding how external Application Program Interfaces (API’s) can access your FileMaker Pro business solutions and then how to control that access. This includes layout access, file metadata, and the business logic found in scripts. [You can read more about this topic here:  http://fmforums.com/blogs/entry/1535-the-filemaker-platform-api’s-are-your-friends-right/]

Some of these elements respond to fine-grain permission controls in the Privilege Set.  Others do not; hence, developers should utilize File Access Protection. Additionally it can assist in preventing users who are otherwise authorized a particular level of permissions from escalating those permissions and privileges in the file.  Escalation of privileges is a key vulnerability we must try to prevent in all instances. 

 

Fourth. Utilize Encryption in Transit to protect you data while they are in motion between FileMaker Server and a variety of FileMaker Platform clients such as WebDirect™, FileMaker GO, and FileMaker Pro. This is particularly important when users are accessing FileMaker Platform Business Solutions by public Wi-Fi networks such as those found in coffee shops, hotels, conference centers, malls, airports, and similar venues. For that matter it is also important when the only access is across a Local Area Network (LAN) behind a closed firewall.  Just one single rogue wireless access point on that LAN can compromise it.  Additionally anyone with access to the LAN could also intercept data in transit. Encryption in Transit also helps verify the identity of the FileMaker Server and helps prevent man-in-the-middle attacks where a Threat Agent could impersonate your FileMaker Server.

I have described four FileMaker Platform security tools that developers and administrators can use to protect FileMaker Platform business solutions:

Granular Access Privileges

Encryption at Rest

File Access Protection

Encryption in Transit

I have attached a schematic that can serve as a reminder about these features. Remember when using these, that security is dynamic and on-going.  It is never a “One and Done” scenario. The FileMaker Platform provides these tools. A number of people have done a very considerable amount of work over the years to add these to the FileMaker Platform. I strongly recommend their use.

TipsforSecuring.png

Steven H. Blackwell

FileMaker Cloud

 

I am very excited about the advent today of FileMaker Cloud. It is an excellent addition to the overall FileMaker Platform. Even in Version 1.0 we can see major benefits and uses for FileMaker Cloud. Over time and in succeeding versions, I believe these will get even better.

It is scalable, both up and down. It can meet rapidly changing needs for infrastructure to support FileMaker-based business management systems.

It is secure. Your files are encrypted. And data in transit are also encrypted. This is important to preserve the Confidentiality, Integrity, Availability, and Resilience of your FileMaker business management systems.

It is part of the FileMaker Platform. Users can connect to its hosted files with FileMaker Pro, FileMaker GO, and WebDirect™ clients.

It requires minimal administrative attention once established. And while no system can ever be a fire-and-forget structure, FileMaker Cloud offers ease of management. Amazon Web Services handles the heavy lifting.

FileMaker Cloud introduces the industry-standard oAuth2 process to the FileMaker Platform. That process allows new options for Identity and Access Management. In Version 1.0 that is confined to credentials for managing the newly revamped FileMaker Server Admin Console. This will work with an administrator’s regular Amazon Account.

Such federated identity management support might possibly in the future allow developers to utilize other authentication platforms to validate user credentials. Then those other platforms could pass that validation to FileMaker Server and admit the user to specific files. And with correct file privileges to boot!

I want to congratulate FileMaker, Inc. and its Engineering, SQA, and Product Management Teams on this initial foray into the Cloud. I look forward to future enhancements to FileMaker Cloud.

Steven H. Blackwell

fm_cloud_horz.png

Steven H. Blackwell

Security Vulnerabilities of FileMaker Platform API’s:  An Update

 January 9th 2017

In an April 2016 entry on this BLOG titled The FileMaker Platform API’s Are Your Friends, Right? [http://fmforums.com/blogs/entry/1535-the-filemaker-platform-api’s-are-your-friends-right/] I discussed a number of FileMaker Platform security issues centered on the uncontrolled use of a number of external Application Program Interfaces (API’s). There are at least nine of these API, possibly more, if ExecuteSQL is included. The central thesis of that article was that these API’s provide unexpected attack vectors to compromise FileMaker Platform files.  As noted at the time:

Many FileMaker developers are not aware, however, that these API’s have the capability to access customer or client solutions in unexpected ways and to extract or insert data, to manipulate business processes developers embedded into these solutions, and to compromise the integrity of these solutions. 

Unfortunately, in the intervening nine-month time span, we continue to see cases where several of these API have been used for malicious purposes to compromise FileMaker Platform files’ business process integrity, to manipulate data, and to extract data.  And many in the developer community remain unaware of this problem. In this BLOG entry, I will describe two of these API’s in greater specificity and detail, including describing a variety of attacks they can facilitate.  This article will not discuss the ActiveX API that is available on Windows OS; however, developers should give similar attention to that approach. Developers need to be aware of these items in order to protect their files and those of their clients.

The two API at the center of this focus are Apple Events and the FMPURL process.  In the earlier article, I noted several elements about these that bear repeating here:

[These API] cause particular concern because of their breadth and relative ease of use….

The Apple Events Suite has an extensive set of commands that can read and write data, read metadata, manipulate the UI, and trigger scripts. In addition, they can work outside the normal constraints found on layouts in a file. [http://thefmkb.com/5671]

The FMPURLcan open a file and run a script in it.  If the file is already open, then the script will still run. [http://thefmkb.com/5560]

 

A few general comments about both of these API’s:

·      They are not platform-specific in the sense that just because a client organization is an all Windows OS environment that it is immune from an Apple Event attack.  It’s the OS of the attacker that controls whether the API can be used.

·      There are some ways within Privilege Sets to constrain behavior of these API commands when they are applied on a file. The Export privilege bit can control the ability of Apple Events to extract data from a file. The Layout Access privilege bits can also constrain the ability to see contents of a layout. Likewise, Script Access privilege bits can control the availability of a script to either of these API.

·      These API often perform actions in unexpected fashions that fall outside the normal, traditional, and familiar FileMaker Pro User Interface behavior. This is part of what catches developers by surprise.

 

—Apple Events—

When a file is open, whether standalone or hosted by FileMaker Server, an attacker can send Apple Event commands to it causing it to perform a variety of actions, including:

·      Run any script to which the user has access, irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button.

·      Navigate to any Layout irrespective of whether that Layout’s name is in the list of Layouts or not. If the user’s Privilege Set has access to see that Layout, then its contents are visible whether the developer ever intended for the user to view the Layout or not.

·      Return various metadata about the file, including such items as Script Names, Value List Items, Layout Names, Field Names, etc. If a user’s Privilege Set does not allow access to the item, its name does not appear in the list returned.

·      Put data into any field in the database or extract data from any field, irrespective of whether that field is on the active Layout or is on any Layout for that matter.

 

Here are several examples of these scripts, all working on a file named Our_Secret_Information.fmp12.

 

tell application "FileMaker Pro Advanced"

       activate

       go to first layout

end tell

 

tell application "FileMaker Pro Advanced"

       activate

       do script FileMaker script "Relog_as_Admin"

end tell

 

tell application "FileMaker Pro Advanced"

       activate

       set somevar to name of every layout

end tell

 

tell application "FileMaker Pro Advanced"

       activate

       set somevar to name of every field

end tell

 

tell application "FileMaker Pro Advanced"

       activate

       set somevar to get data field "CreditCardNumber"

end tell

 

 

 

 

—FMPURL—

 

The FMPURL command’s principal attack vector is that it can be used to run any Script in a file to which a user’s privileges has access. Similar to Apple Events, this occurs irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button.

If the file is closed, the command first opens the file with supplied credentials, then runs any OnFirstWindowOpen script, and then runs the designated script from the FMPURL command.  As a result of this behavior, a Halt Script step at the end of the opening script has the effect of blocking the running of the FMPURL designated script. Some developers have utilized this technique to block FMPURL calls to scripts in a file.

However, if the file is already opened or if there is no opening script, then the designated script does run.

Here is an example of calling a script, again in our file Our_Secret_Information.fmp12 being hosted at a server at IP address 0.0.0.0.

 

fmp://0.0.0.0/Our_Secret_Information.fmp12?script= Relog_as_Admin

 

 

—What Is the Significance Of This and

How Do We Address This?—

 

One of the many reasons we caution developers against embedding security elements such as Identity and Access Management controls into the data layer of FileMaker Pro databases is precisely because such elements are vulnerable to these API attacks. Think for a minute about that Relog_as_Admin script that presumably relogs into the file with a [Full Access] Account.  If an Attacker can trigger that script and cause it to run, irrespective of what the developer might have intended, then the Attacker has full access to the file. This has actually happened.

Or, suppose that a developer has made a “Developer_Only” layout in the file, removed it from the list of layouts, and left sensitive information on it. If the Attacker can navigate to that layout, and if it is not protected by settings in the Privilege Set, then the Attacker can learn the contents of the information on it.  This has actually happened in numerous instances, including unbelievably, the appearance of [Full Access] level credentials left exposed on the layout!

Likewise, suppose that a developer has made a so-called “Privileges Table” with various fields that purport to control whether a user can do such things as create records. Using the Apple Event Set Data command, an Attacker could likely change the values in these fields if they do not enjoy additional protection.  More likely even, the Attacker could simply issue a Make New Record command and create the record.  That is a process frequently used to thwart developer-imposed limitations on the number of records in a demonstration version of a vertical market solution.

So, what can be done to manage this situation and to prevent these type attacks?  In FileMaker® Pro 15, FileMaker, Inc. added a new Extended Privilege option in the Privilege Set called fmscriptdisabled.  Developers must explicitly invoke this option; it is not a default option.  What it does is to prevent Apple Events (Macintosh OS) and ActiveX commands (Windows OS) from activating scripts, just as the name implies.  It has no impact on FMPURL or on other Apple Event commands that do not involve triggering of scripts.

Some of the other items in a Privilege Set, notably Export and data layer modification elements, can control Get Data and Set Data Apple Events.  If Export is disabled, then Get Data will not return data from the selected field. In tables where the editing privileges are restricted, likewise, Set Data will not add data to a field.  Creation and deletion privileges behave in similar fashion. Remember, we are talking here only about Apple Events.  Other processes may behave differently. Controlling API behavior is important; however, it is not the only security feature that developers must invoke to assure Confidentiality, Availability, and Integrity of their database systems.

So, clearly what we need here is a way to block these API from interacting with FileMaker Pro files. FileMaker, Inc. is aware of these issues and has been working on new ways to address them. In the Product Road Map Webinar presented on November 30th 2016, FileMaker, Inc. noted that the next version of the FileMaker Platform will contain a number of additional security enhancements. I am authorized to say that one of those enhancements will be a new process for more closely and granularly controlling several of these API’s.

At such time as there is any new version of the FileMaker Platform, I will have additional comments and analyses of the issues related to these API’s.

Steven H. Blackwell

Hacking Your Own FileMaker Platform Solutions

Should FileMaker Platform developers mount hacking attacks on their own solutions? At first glance, this may seem an odd question. But I believe that the answer is “Yes, we should.”

Consider this. As developers we see our solutions from a totally different perspective than Threat Agents see them. Without practicing our own hacking skills, we can become blind to the vulnerabilities a Threat Agent can exploit to compromise the Confidentiality, Integrity, Availability, and Resilience (CIAR) of our deployed solutions.

I have previously observed that we need to “Think as the Attacker thinks, not as the Developer thinks.” It will be the strength of the Defender, much more so than the strength of the Attacker, that determines the outcome of a breach of any of our systems.

What are some of the vulnerabilities a Threat Agent (i.e. an Attacker) might exploit to compromise our systems?  What have we done to close those vulnerabilities and to mitigate the level of severity of impact of CIAR compromises when a breach occurs? There are a number of attack vectors to consider:

  1. If the File Access Protection option is off, then an attacker with even lower-level privileges in the targeted file may be able to print, export, view, edit, and otherwise manipulate data in the hosted solution totally outside many of the constraints that the developer has utilized.  The attacker may also be able to run scripts in the file, even if they are not attached to User Interface elements or present in the Scripts menu.  The attacker may also me able to navigate to layouts in an unexpected and unauthorized fashion. And the Attacker can extract a significant amount of metadata from the file. 

    Are the files open to access by other, rogue FileMaker Pro files? The File Access Protection feature found in the Manage Security area of the file is designed to inhibit this behavior. But the developer must explicitly invoke that option.  When it is in force, an Attacker must know a [Full Access] level password in order to define External Data Source references to our file.
     
  2. What about the External API’s that work in the FileMaker Platform? Have you, as the developer, considered how these might provide unauthorized and unexpected access to your files?  Some of these can be disabled via the Privilege Set bits. Examples of these include XML, PHP, ODBC, and JDBC. A Threat Agent could manipulate these and others to gain access to data and to view or to change them. An Attacker could also possibly use these to trigger scripts in an unexpected fashion.

    Other API’s are harder to control, and an attacker can use them to gain access to data, to gain access to metadata, to trigger scripts, and to manipulate the User Interface and traverse among various layouts. These, to varying degrees, include Apple Events, ActiveX, FMPURL, and ExecuteSQL. Developers can control much of this behavior through the use of very finely-grained Privilege Sets. And here is where the self-hacking aspect can play a particularly important role.  Try attacking your own files so you can spot the vulnerabilities a Threat Agent could employ using these API’s. I will have more to say about API’s in a future FileMaker Security BLOG post.
     
  3. If a Threat Agent can gain access to a physical copy of your file, then the Agent can mount additional attacks against it. Have you tested for this?  Use of Encryption At Rest (EAR) and removal of the [Full Access] Privilege Set and Accounts with the Developer Tool can help mitigate these type attacks. EAR is particularly effective, since even lower-level access can furnish multiple opportunities for compromise of CIAR.
     
  4. How easy is it for a Threat Agent to discover your FileMaker Server? In many instances, organizations need to make their servers available for access via the public Internet. The presumption should be that an Attacker can discover all such servers.  Sometimes this is as easy and as direct as entering the organization’s domain name into the hosts directory of Open Remote.  For example, www.somebody.com will frequently resolve to the public IP address of the server.  If administrators have not enabled File Access Filtering, then FileMaker Pro will display a list of available files.  If, in turn, a Threat Agent can access any of these, mischief can ensue. 

    Alternatively, through a process known as “Google-Dorking” attackers may discover enough information about a server to be able to attempt access.  So, the question is whether you, as the developer or administrator, have investigated how easy it might be to locate your server in any of these ways. It may be necessary to require authentication to access the Local Area Network by use of some process such as a VPN or two-factor authentication to protect these servers from outside access.

     
  5. Finally, be sure that you and the FileMaker Server Administrator have implemented a vigorous and robust back-up regimen for your FileMaker Platform deployment.  Test that you can fully restore your system from these backups; otherwise, they are not worth too much at all. Given the rise and increasing frequency of ransom-ware attacks, this is particularly important.

Speaking recently about the MedStar Hospital ransom-ware attack  (http://wtop.com/local/2016/03/medstar-paralyzed-as-hackers-take-aim-at-another-us-hospital/) one of the Editors of the SANS Bulletin (a well-known information security news letter) noted:

Quote

 

This case again highlights the need for good disaster recovery plans. Organizations should be planning today for how they will deal  with ransom-ware and other destructive attacks - these are no longer black swan events.


 

These type activities have also prompted warnings by the US and Canadian governments about ransom-ware and the need to maintain continuity of business operations in light of the threats such attacks pose.  (http://www.computerweekly.com/news/450280335/US-and-Canada-issue-joint-alert-on-ransomware)

So, Yes, do hack your own FileMaker Platform deployments.

Steven H. Blackwell

 

Steven H. Blackwell

The release of Version 15 of the FileMaker Platform brings with it a number of new security features, both in FileMaker® Server 15 and in FileMaker® Pro 15.  FileMaker® Pro 15 Advanced also has one notable security enhancement.

I have attached to this BLOG post a new White Paper that details and explains a number of these new features as well as offers some recommendations for their effective use. First however, we should take note that in the past several releases that FileMaker, Inc. has become more conscious about security issues and about equipping all the products with more features to enhance the Confidentiality, Integrity, Availability, and Resilience (CIAR) of FileMaker Platform solutions and their deployments. This is a highly welcomed development.

 

http://fmforums.com/files/file/79-new-security-features-version-15/

Steven H. Blackwell

Steven H. Blackwell

Edit Records Privileges

I have heard reports recently about some confusion regarding the behavior of the Edit Records privileges.  These privileges are set in the Privilege Set Custom Privileges area; they are part of the Record Level Access (RLA) privileges for a specific table.

Record editing privileges can be set to Yes, No, or Limited. Developers select these options from the drop-down menu under the Edit area in Custom privileges in the Privilege Set. What happens to a user’s privileges and when it happens depend on which setting a developer chooses.

Obviously the Yes setting means that the user can edit records. This is a common setting.  Developers might reasonably assume that a No setting means a user cannot edit records in the designated table. That is a correct assumption insofar as it goes; the issue is that it does not take effect until the session where the user created the record is ended.  This means that a user can create new records, and even after the user commits those records by any of several means, he or she can continue to edit them.  This persists until the session ends, usually the result of exiting FileMaker Pro.

In order for the restrictions on editing to take effect immediately upon committal of the record, developers must select the Limited option. That option is usually employed for invoking the privilege under differing conditions.  A common example would be that a user could delete only his or her own records. Another example would be to block deleting records that the user created before a certain date compared to the current date.

In this instance however, developers can simply select the Limited option and in the calculation dialog that option presents, enter a value of 0.  Thereby, once a user creates a record and commits it, the user can no longer edit the record. Committals can occur in numerous ways.  So, in this instance, it might be a good idea for the user to deselect the Layout option automatically to save records.

The following screen shots illustrate these items.

No.png

limited.png

calcValue.png

LayoutSave.png


I hope that this explanation clears up any confusion and uncertainty about the behavior of the Edit Records privilege in FileMaker Pro. 

Steven H. Blackwell
Platinum Member Emeritus, FileMaker Business Alliance

 

Steven H. Blackwell

 

FileMaker DevCon To Convene

Against Backdrop

Of Cyber-Attacks Across The Globe

 

 

July 18th 2017

 

 

In just a few days, four generations of FileMaker developers and users from all over the world will gather for the 22nd Annual FileMaker DevCon, held this year in Phoenix, Arizona. We will do so against an unprecedented backdrop of critical security issues facing businesses and organizations all over the world.  Organizations of all sizes and from every business sector are vulnerable.  Small to medium-sized businesses are particularly so, especially in the areas of financial services, health care services, and retail services.

Jeff John Roberts and Adam Lashinsky, the latter well-known as a chronicler of FileMaker, Inc.’s parent company, reported recently:

…business is under assault like never before from hackers, and the cost and severity of the problem is escalating almost daily.

(Cybersecurity: How Business Is Protecting Itself

 

http://fortune.com/2017/06/22/cybersecurity-business-fights-back/)

 

 

Bob Pisani, well-known business reporter for CNBC, also recently reported on a major cyber-attack:

…snack food and beverage giant Mondelez International became the latest victim of a cyber attack. The company said it was hit with an attack on June 27 that compromised its ability to ship and send invoices during the last four days of its second quarter.

 

 

What made this call unusual is that the company quantified exactly how much the attack hurt them: Its preliminary estimate of the impact indicates a 3 percent slice off its revenue growth rate for the quarter.

(Cybersecurity stocks rally as global hackings start to impact corporate bottom lines

 

http://www.cnbc.com/2017/07/07/cybersecurity-stocks-rally-on-mondelez-hacking.html)

 

 

Additionally, in May of 2018 developers and their client organizations on both sides of the Atlantic will become subject to the comprehensive General Data Protection Regulation (GDPR) promulgated by the European Union (EU). Organizations that store data about EU citizens are bound by the GDPR strictures, irrespective of where the organization itself resides.  It will remain to be seen how the EU is able to enforce those requirements outside its own boundaries.

These issues, of course, also apply to platforms other than FileMaker. But as the developers, administrators, custodians, and users of business systems based on the FileMaker Platform, our principal concerns must be the identification and management of these issues.

These are not principally technical or programming issues.  They are—first and foremost—business issues:  business criminal and civil liability, business continuity, and business reputation among them.

·      Organizations of every type face criminal and civil liability sanctions if a data breach occurs.

·      Some attacks and breaches can literally speaking put an organization out of business, rendering it unable to continue functioning and to provide its designated services.

·      Even if an organization is able to recoup and to continue, its reputation will be damaged and its brand diminished.

As FileMaker developers we all have a responsibility to our clients to design our business solutions and to deploy and operate them with these security constraints in mind.  As in-house developers and administrators, we likewise have the responsibility to our customers, our shareholders, our members, and our fellow employees to operate our database systems in a responsible and careful fashion.

What are some of the more significant and damaging exploits that some Threat Agent could employ against FileMaker Platform business management solutions?  And who are those Threat Agents?

Threat Agents include a variety of actors, some malevolent, some hapless, some innocent:

·      Malicious Outsiders seeking financial gain or seeking to disrupt the organization’s business processes.

·      Malicious Insiders, current or former employees, or parts of an organization’s supply chain.

·      Inept Insiders who accidentally or unknowingly cause security-related incidents that damage, delete, or otherwise alter critical organizational data.

·      Threads in the Supply Chain where carelessness or poor security practices facilitate damage to our own organizational data and functioning.

·      Finally, although this by no means is a complete list, inattentive or unknowing developers, administrators, or custodians of FileMaker Platform business management solutions who do not follow Best Practices for Security and management of those systems.

 

 

What type of exploits can Threat Agents employ that damage these solutions and thereby damage the organization as well?

·      Deleting of data, intentional or accidental.

·      Altering of data, either obvious or (more problematically) subtle in nature.

·      Extracting of data for competitive business purposes or for use for embarrassing or damaging the organization.

·      Adding of spurious data.

·      Manipulating of tracking processes for key business activities such as invoice or accounts payable processes.

 

 

What can FileMaker Platform developers and administrators do to protect against these exploits, to lessen vulnerabilities, and to reduce risks of their occurring?  Security Check Lists are almost always bad ideas, because they overlook the dynamic and on-going nature of vulnerabilities, threats, and risks.  Nevertheless, here are a few items to consider:

·      Use FileMaker Server and invoke Encryption in Transit for data flowing across networks.

·      Employ Encryption at Rest on the database files.  One of the most frequently used attack vectors is getting a copy of the files and performing attacks on them.

·      Use File Access Protection on all files in the business management solution to prevent unauthorized access to fields, tables, scripts, value lists, and similar schema elements.

·      Use finely-grained Privilege Sets.  Respect the Rule of Least Privileges that states “Users should have all the privileges necessary successfully to fulfill their roles, but no more and no higher privileges.”  Escalation of privileges is a major vulnerability.

·      Employ strong credentials to access the FileMaker business management solution.  Use the tools that FileMaker, Inc. provides.  Do not try to invent your own system for doing this. Those artificial or ersatz security systems are rife with vulnerabilities.  This is particularly true of those that first grant access to the file, even at a diminished level of Privileges, and then require the user to take some actions or go through some process before using the system.

·      Remember that the User Interface is not part of the Security Schema.  Just because you cannot see or change something via the UI does not mean that an Attacker cannot see it, alter it, or delete it.

 

 

I will hope to see many of you at the Developer Conference.  And I would be happy to discuss any of these items with you in greater detail.

 

Steven H. Blackwell

Steven H. Blackwell

Ten Frequently Encountered Practices

That Can Compromise Security of FileMaker Pro Files

April 9th 2013

In our last installment, I noted:

“In 2013, I will be focusing on promoting the goal of achieving that understanding [meaning understanding FileMaker Server] along with the parallel and related one of overcoming a similar lack of understanding and awareness about FileMaker security items.”

In this post I want to focus on ten frequently encountered practices with FileMaker Pro files that present potential vulnerabilities that could be used to compromise the Confidentiality, Integrity, or Availability of the files and their resident data. Most of these scenarios occur on files hosted by FileMaker Server; however some may pertain to standalone files as well. These scenarios occur in a variety of organizations and deployments; all present unneeded vulnerabilities.

  1. Full Access Accounts for server side scripts. Avoid the use of Accounts tied to the [Full Access] Privilege Set for running server side scripts. Use an Account tied to a subordinate level Privilege Set specifically designed for the purpose of running the script.

  2. Not disabling default Account. The default Account, whether auto-logon or not, should be disabled. This Account is Admin with a blank password. Or alternatively, add a strong password to that Account and be sure auto-logon is disabled.

  3. FMServer sample file where is as is. Developers should close and preferably remove this file from FileMaker Server if it is not being used. If it is used, disable the auto-logon and give the default Admin Account a strong password.

  4. External Server Authentication of Full Access Accounts. Avoid using External Server Authentication for Accounts tied to the [Full Access] Privilege Set. It puts the files at risk of compromise.

  5. Reliance on default subordinate Privilege Sets. The two default subordinate Privilege Sets (Data Entry Only and Read- Only Access) contain privileges considerably in excess of what their respective name implies. Create your own custom Privilege Sets instead with exactly the privileges, and only the privileges, that you need for the assigned role.

  6. Not logging out of the FileMaker Server machine. FileMaker Server is a service/daemon. It is designed to be run with no one logged into its machine. That, by far, is the safest way to run it. Running it with a user logged in or at the “Lock” position on either OS X Server or Windows Server compromises its security.

  7. Failing to Employ the File Access Protection Feature. The File Access Protection feature added in FileMaker® Pro 11, and continued in FileMaker® Pro 12, helps protect files from unauthorized and unexpected manipulation of scripts, value lists, table aliases, and other schema. It also prevents unauthorized accessing of information in an external file by manipulation of the Design Functions. Many developers simply do not invoke this feature to protect files, and this leaves them vulnerable.

  8. Enabling OS Level File Sharing. FileMaker Server does not require the use of Operating System (OS) level file sharing in order to function correctly. Such OS level shares represent an attack vector that can be exploited to compromise or to damage the files. These shares can also impede performance of FileMaker Server.

  9. Confusing Data Access Privileges And User Interface Privileges. Generally speaking, privileges assigned at the data level persist wherever the data are accessed. If a field is not editable for a given Privilege Set when that field is viewed in File A, it will likewise not be editable when viewed in File B. The same is not true however with other items such as printing or exporting. Blocking printing of data or exporting of data in File A does not block those same actions when data from File A are viewed in File B. That’s one reason why the File Access Protection feature described in item 7 is so important for protecting data.

  10. Using Enterprise Level Backup Systems on Live FileMaker Pro files. FileMaker Server has its own built-in backup processes. In FileMaker® Server 12, this includes both incremental backups that copy only changed blocks and a new hard-link backup system that prevents multiple copying of files that have not changed since their last backup. Use of enterprise level backup systems on hosted FileMaker Pro files can damage those files and adversely affect the integrity and availability of those backups. It can also damage and corrupt the original files in the process. Such enterprise systems should not be used on live, hosted files.

Developers and FileMaker Server administrators should avoid being members of the class of “Unskilled and Unaware of It” persons by learning and following Best Practices for FileMaker security.

Steven H. Blackwell

Over the past dozen years, I have discussed in a number of venues the necessity for robust security practices and the techniques needed to implement them on the FileMaker Platform. Such discussions have as their underlying framework a fairly traditional Information Security paradigm.

There are Threat Agents who seek to initiate Exploits or Threats that negatively Impact the Confidentiality, Integrity, and Availability of FileMaker Platform systems or other Digital Assets. These attacks also can damage the Resilience of the Digital Asset. These Threat Agents exploit a Vulnerability in the design or the deployment of the FileMaker systems. FileMaker Platform developers and FileMaker Server Administrators must assess the Risk that a Threat Agent will use a Vulnerability to trigger an Exploit that attacks the FileMaker Platform system.

I have learned that developers, after some examination of this concept, do understand it. And I have also learned is this: In many instances, developers do not see how these circumstances impact them. They do not connect the Information Security Paradigm model with their on-the-ground implementation of solutions built on the FileMaker Platform. That is what I intend to address in this paper.

I am going to describe some exploits and threats that target commonly-found vulnerabilities. And I will explain how to close those vulnerabilities. There are six significant and common exploits that can be run against FileMaker Platform systems. Each takes advantage of one or more of seven vulnerabilities to compromise Confidentiality, Integrity, or Availability or to damage Resilience of the system and its data. Each can be easy to trigger, and each can do significant damage.

Read more here:

http://www.fmpug.com/resources/exploit-based-approach-to-filemaker-security

Steven H. Blackwell

“What's in a name? that which we call a rose,


By any other name would smell as sweet.”

—Juliet (Romeo and Juliet, Act II, Scene 2, William Shakespeare)—

“The beginning of wisdom is to call things by their proper name.”

—Confucius—

An entire series of recent studies[1] published by well-known and well renown international security analysis and information industry firms have all made, in slightly varying language, the following key points:

  1. Data housed in files in organizations are under relentless and persistent attack by a variety of threat agents including criminals, nation states, so-called “hacktivists”, and disgruntled current or former employees.
  2. Organizations of all different sizes are vulnerable; however, smaller businesses and organizations are particularly susceptible to data breaches because they have fewer resources with which to protect themselves and are often in the supply chain of larger organizations that may house particularly valuable data. This is not to say that smaller organization themselves do not also have the same type of particularly valuable data.
  3. Financial gain, industrial espionage focused on the theft of intellectual property, and embarrassment or disruption of organization activity are three principal motivations driving threat agents to undertake attacks that result in data breaches.
  4. The data are the target, not networks or web sites, or other digital infrastructure items. It’s the data.

The data housed in FileMaker databases and resident in organizations using FileMaker Pro and FileMaker Server fall squarely into this realm. So contrary to Juliet’s assertion, we need to adopt the Confucian approach and call this by its proper name.

FileMaker databases are susceptible to attack, and the data in them can be compromised and stolen or altered or manipulated by unauthorized persons. The sooner the community recognizes this, and the sooner developers and administrators recognize this, the sooner we can begin a serious and focused discussion about how to identify the likely attackers, identify what vulnerabilities in the software they might exploit, assess the likely risk of their doing so, and develop plans to mitigate the adverse impact of successful attacks.

What type data are vulnerable? The answer is: all types. Some categories are more valuable than others; these are likely high on the list of any attacker. Financial data, personally identifiable information, intellectual property, business process information, and organizational IT data are major targets.

What type organization is most at risk? Both small and large organizations in the for-profit, the not-for-profit, and the government and education sectors are targets. While certain types of attacks tend to focus on different sized organizations, all are vulnerable. And since smaller organizations frequently lack the resources or the processes to protect themselves, they can be especially hard hit.

FileMaker Pro database systems can be found in every type organization imaginable of every size and description in well over 100 countries on seven continents. Some of these databases are well-defended; others are defenseless. We in the developer community are lagging in our efforts to address the seriousness and pervasiveness of the threats to FileMaker databases found in all types of organizations, large and small, across a range of business segments.

One sentence in one of those reports[2] I referenced at the beginning of this post stands out as a stark reminder:

“Some interpret attack difficulty as synonymous with the skill of the attacker, and while there’s some truth to that, it almost certainly reveals much more about the skill and readiness of the defender.”

It’s time for the developer community to get busy about and to get serious about protecting information stored in the systems we create. What information do your clients have that needs protecting? And what happens if you don’t do that? We will explore those two questions, along with how to determine threats and risks, in coming entries on this BLOG.

[1] Verizon, 2013 Data Breach Investigations Report

Mandiant, 2013 M Trends Threat Report

Solutionary, 2013 Global Threat Intelligence Report (GTIR)

Sophos, Security Threat Report 2013

[2] Verizon Report p. 48

Steven H. Blackwell

Permissive Versus Restrictive Privileges In FileMaker Pro Databases

—By—

Steven H. Blackwell

April 25th 2011

In older versions of FileMaker Pro, those prior to FileMaker® Pro 7, privileges were, by default, permissive. This means that users were allowed to perform all actions by default. With the introduction of the modern versions of the FileMaker Family of Products, with their appropriate focus and attention to industry standards in the security realm, the default privileges became restrictive. This means that databases privileges, especially access to tables and records, are off or restricted by default and have to be specifically enabled for a user’s Privilege Set. Even for the [Full Access] Privilege Set, privileges related to connectivity to hosted files have to be enabled by the developer.

This change began in Version 7 and has continued to the present-day FileMaker® Pro 11 where significant additional protections were added, principally File Access Protection. This is an option that developers may invoke that prevents unauthorized references to a file that could result in data manipulation, script execution, value list item extraction, and Design Function penetrations in ways most developers did not contemplate happening. Additionally, in FileMaker Pro 11, the Available menu commands options setting for a newly created subordinate Privilege Set was changed from Full to Minimum to make that privilege bit’s behavior consistent with all the others. Thus, all privilege bit settings for a newly created subordinate level Privilege Set are either off or set at the most restrictive option.

When FileMaker Pro 7 was released, these changes caused some confusion and even a bit of consternation among both new and experienced users and developers. While much of that has abated over time, it still occasionally surfaces. Yet, I would assert, the present restrictive privilege settings are the correct ones to employ. Why?

A guiding principle of information asset security is the Rule of Least Privileges. That principle holds a user should have all necessary privileges to perform his or her respective role in the database system, but no greater privileges. The FileMaker Pro Role-based Privileges System conforms to this important industry standard principle.

In older versions developers had to try to close all open avenues of access to their database systems. Frequently such actions failed simply because even experienced developers did not know all the “open windows” so to speak. They could close and lock the “front door” and often the “back door” as well. But some windows would be left wide open. This made effective security implementation difficult, threatening both client data and developer intellectual property. The modern-day version of the product closes these wide-open avenues. Now, developers, for the overwhelming part, must explicitly authorize access and privileges. This allows them to protect client’s data and business processes management as well as to secure their own intellectual property.

Preservation of Confidentiality, Integrity, and Availability of digital assets, and sometimes of physical ones as well, is the over-arching purpose of information security in the modern world. FileMaker® Pro 11, the latest iteration of the product, provides more tools and features to accomplish effective security implementation than any prior version of the product. The Rule of Least Privileges is at its best implementation with the current version. I urge developers to employ these security features to their maximum effect.

Steven H. Blackwell

×

Important Information

By using this site, you agree to our Terms of Use.