I have recently learned that there may be any number of FileMaker Server installations world-wide that are hosting files that open automatically without credentials challenge to the [Full Access] Privilege Set. The default-installed FileMaker Server Sample File is one of these; however, there are others.
This is not such a good practice. Such files offer an attractive attack vector that a Threat Agent can use to inflict damage on the FileMaker Server machine or on its hosted files. If a Threat Agent can locate the server and access it, an attack can occur using these files.
Most attacks occur when a Threat Agent utilizes some vulnerability to mount an exploit that has some negative impact on the Confidentiality, Integrity, or Availability (CIA) of a digital asset such as a FileMaker Pro database. To that we must now add that the exploit can adversely impact the Resilience of the database system as well. We measure that negative impact of an attack along a continuum ranging from Limited to Serious to Severe to Catastrophic. In managing security in FileMaker database systems, we work to block Threat Agents, to close vulnerabilities, and to mitigate the negative impact of an attack.
I would therefore strongly recommend the following actions:
- If you do not need the FileMaker Server Sample File, then remove it from your server. If you do need it, give it credentials or have it open to a restricted privilege level.
- If you have other files that open without challenge to [Full Access] privileges, then change that process to require credentials or, at the least, to open to a restricted level of privileges.
- Periodically review the FileMaker Server Access Log to see if it contains evidence of unusual or unexpected access to the server. Of course, for that to work, you must enable this log in the FileMaker Server Admin Console.
It is my view that in the FileMaker community we have a responsibility to one another to help each other maintain safe systems, to avoid and to prevent attacks, and to block Threat Agents. I will continue to advise the community of security-related items from time to time.
Steven H. Blackwell