Jump to content
  • entries
  • comments
  • views

Protect Your FileMaker Server and Files From A Vulnerability

Steven H. Blackwell


I have recently learned that there may be any number of FileMaker Server installations world-wide that are hosting files that open automatically without credentials challenge to the [Full Access] Privilege Set. The default-installed FileMaker Server Sample File is one of these; however, there are others.

This is not such a good practice. Such files offer an attractive attack vector that a Threat Agent can use to inflict damage on the FileMaker Server machine or on its hosted files. If a Threat Agent can locate the server and access it, an attack can occur using these files.

Most attacks occur when a Threat Agent utilizes some vulnerability to mount an exploit that has some negative impact on the Confidentiality, Integrity, or Availability (CIA) of a digital asset such as a FileMaker Pro database. To that we must now add that the exploit can adversely impact the Resilience of the database system as well. We measure that negative impact of an attack along a continuum ranging from Limited to Serious to Severe to Catastrophic. In managing security in FileMaker database systems, we work to block Threat Agents, to close vulnerabilities, and to mitigate the negative impact of an attack.

I would therefore strongly recommend the following actions:

  1. If you do not need the FileMaker Server Sample File, then remove it from your server. If you do need it, give it credentials or have it open to a restricted privilege level.
  2. If you have other files that open without challenge to [Full Access] privileges, then change that process to require credentials or, at the least, to open to a restricted level of privileges.
  3. Periodically review the FileMaker Server Access Log to see if it contains evidence of unusual or unexpected access to the server. Of course, for that to work, you must enable this log in the FileMaker Server Admin Console.

It is my view that in the FileMaker community we have a responsibility to one another to help each other maintain safe systems, to avoid and to prevent attacks, and to block Threat Agents. I will continue to advise the community of security-related items from time to time.

Steven H. Blackwell


Recommended Comments

Thank you for this timely reminder -


I can see this being much easier for the un-intentioned developer to open themselves up for vulnerability now that UPLOAD to server is right there in the toolbar / menubar, making it very easy to upload a "test" file to test out an idea or solution. 

Link to comment

I think another likely scenario, in addition to a "test" file, is when a user who has sufficient access, or an administrator who doesn't realize the risk, puts up a file that is not part of a secure solution... in which they don't consider the data to be critical.  Honestly, I have put many such files on servers in the past...  Thanks for identifying this issue, Steven.

  • Like 1
Link to comment

Danny and Ocean West (aka D), you are both very welcome.  Thanks to both of you for your years of effort to aid the community better to understand security related items.



Link to comment
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.