Steven H. Blackwell

Hello, Peter. Are you calling the machine by its IP address or by its Fully Qualified Domain Name? The latter is required to get a ConnectionStatus of 3 aka the "green lock" symbol. Steven H. Blackwell

The face of computing and data access has changed enormously over the past decade. In an always-on, connect-from-anywhere, mobile-device-driven world, the network perimeter has disappeared. With that disappearance has come a variety of new security and business process challenges to the Confidentiality, Integrity, Availability, and Resilience of organization digital assets. Coupled with growing regulatory strictures, business reputation management requirements, and customer or client trust, modern day information management challenges have multiplied. Verification of authenticity of users who seek to access these assets is now the major information security challenge. Federated Identity Management is one of the most important concepts in modern Information Security Services. What is it, and how do developers and administrators implement it? What problems does it solve? How does it relate to the FileMaker Platform? A new White Paper discusses this and the related concept of Zero Trust Security, something very important to the future of the FileMaker Platform in my view. You can download the White Paper here: https://fmforums.com/files/file/105-federated-identity-management-zero-trust-and-the-filemaker-platform/ Steven H. Blackwell Platinum Member Emeritus, FileMaker Business Alliance

View File Federated Identity Management, Zero Trust, And The FileMaker Platform Federated Identity Management is one of the most important concepts in modern Information Security Services. What is it, and how do developers and administrators implement it? What problems does it solve? How does it relate to the FileMaker Platform? Submitter Steven H. Blackwell Submitted 07/09/2018 Category White Papers FM Version Not Applicable  

The new version of the FileMaker Platform contains a new feature called Account Lockout. This feature’s purpose is to help thwart brute force attacks against hosted files. Such attacks try a large number of passwords against an Account in an attempt to gain access to the file. Here are a few key points about this new feature: v It works for files hosted on FileMaker® Server 17 only. It does not work for files hosted on earlier versions of FileMaker Server or for stand-alone files. v It works against internal FileMaker Accounts only. Externally authenticated Accounts, including those using oAuth, have their own rules regarding failed attempts. v Any version of FileMaker Pro that can access the files on the Server can trigger this feature. It does not have to be a FileMaker® Pro 17 Advanced client. For a detailed description of this new feature, complete with illustrations, you can download the attached PDF. Steven H. Blackwell Platinum Member Emeritus, FileMaker Business Alliance WhatIsAccountLockout_v1R.pdf.zip

View File FileMaker® Server 17: Admin Console, Admin CLI, And Admin API Extensive discussion of new methods for administering FileMaker Server. Joint authored with Wim Decorte. Submitter Steven H. Blackwell Submitted 05/15/2018 Category White Papers  

View File FileMaker® Server 17: Server Monitoring Functionality Discussion of new processes for monitoring FileMaker Server. Jointly authored with Wim Decorte. Submitter Steven H. Blackwell Submitted 05/15/2018 Category White Papers  

View File FileMaker® Server 17 And SSL Certificates: Configuration And Use Information about new SSL processes and options. Jointly authored with Wim Decorte. Submitter Steven H. Blackwell Submitted 05/15/2018 Category White Papers  

The Women of FileMaker organization is sponsoring a Pause On Error FileMaker Conference May 7th-8th in New Orleans. More information at the website: https://www.pauseonerror.com/ Steven H. Blackwell

OK, there is some confusion here about how all this works. First, I would recommend that you use FileMaker Server to host your file, rather than try to access it peer-to-peer as you are trying to do here. The error message you are receiving is the result of processes designed to protect your file. if you want to employ peer-to-peer, open the FileMaker file on the machine where it physically resides. Then, from elsewhere on the network, launch FileMaker Pro and go to the hosts dialog. Your file should be visible there. Clicking on the link will launch the file on the guest machine. Port 5003 likely needs to be open on all machines. Steven H. Blackwell Platinum Member Emeritus, FileMaker Business Alliance

"Are you saying that OnOpenTriggers can be bypassed by someone whose privilege set is authorized to only execute scripts, who has no authorization to edit layouts, edit value lists, or edit (or view) scripts?" Yes, that is correct. It may vary, as you suggested, from situation to situation. This is one of the reasons we advise people not to employ such scripts for "security" purposes. As previously noted, as we have gone from version to successive version over the past 13 3/4 years, FIleMaker, Inc. has worked to close a number of the potential attack vectors, including external file manipulation and use of external API's. Remember also, please, that the script itself has nothing to do really with gaining access to the file. If someone obtains credentials for an Account, that person can access the file. In most instances accessing the file with trigger the OnOpen script. But we cannot 100% guarantee that in every instance that this will occur. In fact, we can state the opposite; in some instances it can be possible to by-pass the firing of the script. And circumstances will vary version by version. I realize this is not the answer you wanted to hear. However, it is the best information I can provide you about this topic. Steven H. Blackwell

In my view, we need to restate the question here as well as to examine the underlying premise: • The OnOpen script presumably exists for some purpose related to the design of the database system, to the business processes it manages, or to both. • The larger question is what would happen to either if the file were opened and the OnOpen script did not run. An Attacker can bypass an OnOpen script in any of several ways. Other design considerations in the file will influence the selection of some of these. Peer to peer hosting, even with EAR, is not optimal, but it will work. EAR has little impact in this situation; however, it is good to have it. So the base question is whether you have protected the file against unauthorized manipulation in such a way that it could be opened without triggering the OnOpen script. Developers typically invoke such protection by use of fine-grained privileges in specific Privilege Sets particularly as they relate to scripts, by extremely judicious use of layout-based script triggers, and by employment of File Access Protection. As we have moved to later and later versions of the products, FileMaker, Inc. has provided additional controls to prevent External API's such as Active X and AppleEvents from serving as conduits for manipulation of files that could result in their opening without triggering an OnOpen script. You can read more about that here: https://fmforums.com/blogs/entry/1738-behavior-change-api-privileges-in-version-16/ as well as following the references in that BLOG post to earlier ones here on FM Forums. Respectfully, Steven H. Blackwell Partner Member Emeritus, FileMaker Business Alliance