Ten Frequently Encountered Practices
That Can Compromise Security of FileMaker Pro Files
April 9th 2013
In our last installment, I noted:
“In 2013, I will be focusing on promoting the goal of achieving that understanding [meaning understanding FileMaker Server] along with the parallel and related one of overcoming a similar lack of understanding and awareness about FileMaker security items.”
In this post I want to focus on ten frequently encountered practices with FileMaker Pro files that present potential vulnerabilities that could be used to compromise the Confidentiality, Integrity, or Availability of the files and their resident data. Most of these scenarios occur on files hosted by FileMaker Server; however some may pertain to standalone files as well. These scenarios occur in a variety of organizations and deployments; all present unneeded vulnerabilities.
- Full Access Accounts for server side scripts. Avoid the use of Accounts tied to the [Full Access] Privilege Set for running server side scripts. Use an Account tied to a subordinate level Privilege Set specifically designed for the purpose of running the script.
- Not disabling default Account. The default Account, whether auto-logon or not, should be disabled. This Account is Admin with a blank password. Or alternatively, add a strong password to that Account and be sure auto-logon is disabled.
- FMServer sample file where is as is. Developers should close and preferably remove this file from FileMaker Server if it is not being used. If it is used, disable the auto-logon and give the default Admin Account a strong password.
- External Server Authentication of Full Access Accounts. Avoid using External Server Authentication for Accounts tied to the [Full Access] Privilege Set. It puts the files at risk of compromise.
- Reliance on default subordinate Privilege Sets. The two default subordinate Privilege Sets (Data Entry Only and Read- Only Access) contain privileges considerably in excess of what their respective name implies. Create your own custom Privilege Sets instead with exactly the privileges, and only the privileges, that you need for the assigned role.
- Not logging out of the FileMaker Server machine. FileMaker Server is a service/daemon. It is designed to be run with no one logged into its machine. That, by far, is the safest way to run it. Running it with a user logged in or at the “Lock” position on either OS X Server or Windows Server compromises its security.
- Failing to Employ the File Access Protection Feature. The File Access Protection feature added in FileMaker® Pro 11, and continued in FileMaker® Pro 12, helps protect files from unauthorized and unexpected manipulation of scripts, value lists, table aliases, and other schema. It also prevents unauthorized accessing of information in an external file by manipulation of the Design Functions. Many developers simply do not invoke this feature to protect files, and this leaves them vulnerable.
- Enabling OS Level File Sharing. FileMaker Server does not require the use of Operating System (OS) level file sharing in order to function correctly. Such OS level shares represent an attack vector that can be exploited to compromise or to damage the files. These shares can also impede performance of FileMaker Server.
- Confusing Data Access Privileges And User Interface Privileges. Generally speaking, privileges assigned at the data level persist wherever the data are accessed. If a field is not editable for a given Privilege Set when that field is viewed in File A, it will likewise not be editable when viewed in File B. The same is not true however with other items such as printing or exporting. Blocking printing of data or exporting of data in File A does not block those same actions when data from File A are viewed in File B. That’s one reason why the File Access Protection feature described in item 7 is so important for protecting data.
- Using Enterprise Level Backup Systems on Live FileMaker Pro files. FileMaker Server has its own built-in backup processes. In FileMaker® Server 12, this includes both incremental backups that copy only changed blocks and a new hard-link backup system that prevents multiple copying of files that have not changed since their last backup. Use of enterprise level backup systems on hosted FileMaker Pro files can damage those files and adversely affect the integrity and availability of those backups. It can also damage and corrupt the original files in the process. Such enterprise systems should not be used on live, hosted files.
Developers and FileMaker Server administrators should avoid being members of the class of “Unskilled and Unaware of It” persons by learning and following Best Practices for FileMaker security.