Michael Westendorf presents FileMaker Security. With the recent security breaches at companies like Anthem, Target, and Morgan Stanley, it is important to stop and review security measures that we as FileMaker developers have at our disposal.
Learn about the following:
-Configuring your FileMaker file to prevent unwanted access
-FileMaker Server security best practices
-Scripting techniques for enhanced security
-Security industry trends
-FM injection on web forms
-Checklist to securing your application
2. Questions
If you have a question, please
typist it into the console. If we
don’t get to your question, please
send it to fba@dbservices.com
3. Overview
• Protecting your FileMaker file
• FileMaker Server best practices
• Basic techniques
• Security industry trends
• Checklist to securing your application
4. About DB Services
•We are a team of analysts, developers, and
designers creating custom applications to make
your organization more effective and efficient.
Learn more about our FileMaker services on our
website.
•If you leave this presentation wanting learn more!
Check out our FileMaker Blog where we post new
content each month.
•To learn more about DB Services, check out our
website at www.dbservices.com
5. Background
Work
Read more on me on our website,
dbservices.com, in the About section
• Sponsor at FileMaker Developer
Conference
• Member of FM Academy
• Article included in FM Newsletter
• Global presence (Canada, Europe,
Africa, Asia)
• Team focused on adding value
• Senior Application Developer at
DB Services
• Certified in 12, 13, 14, 15
• Working with FileMaker for over 10
years
6. Protecting Your File
• Disable generic Admin full access account
• Enable File Access Restrictions
• Set min version in file options
(FileMaker 13)
• Use External Authentication
• Enable Encryption At Rest
7. Protecting Your File
External Authentication/single sign-on
• Your organization already uses Active Directory or Open
Directory
• Your FileMaker files will be accessed by other files in a
multi-file solution.
• Your organization enforces minimum password standards.
FileMaker can only enforce password length and frequency
of changing password.
• Note: Possible for someone to replicate your security group
and gain access to data
8. Protecting Your File
Encrypt your file using a password phrase
• Secures the file against domain replication
• Prevents the file from being cracked
with third party tools
9. Protecting Your File
Privilege Sets - Data Access and Design
• Records
• View, Edit, Create, Delete
• Individual fields
• Access to FM calc engine
• Layouts
• View, Edit existing layouts
• Limit creation of new layouts
• Disable record access
• Value Lists
• View, Edit existing lists
• Limit Creation
• Scripts
• Execute or Edit
• Limit creation
10.
11. Protecting Your File
Privilege Sets - Extended Privileges
• Limits how file is accessed
• Network, WebDirect, ODBC,
XML, PHP
• You can create your own
to further extend your
application.
12. Protecting Your File
Privilege Sets - Other Privileges
Limits access to
• Printing
• Exporting
• Manage extended privileges
• Allow user to override data
validation warnings
• Disconnect Idle users
• Allow users to modify passwords
• Password Requirements
• Limiting menu commands
14. Best Practices
• Encrypt sensitive data at field level by use of plug-ins
http://www.dbservices.com/articles/filemaker-encryption-
with-baseelements
• Limit Plug-Ins
• Prevent unwanted access from FM Advanced (Data Viewer)
• Use guard clauses to prevent scripts from executing
• Disable unnecessary layout modes, especially table view
• Don’t use global variables as security flags/booleans
15. Best Practices
Custom Account Management
• Awareness of Find behavior
• Using Snapshot links
• Create a custom No Access privilege set
• More restrictive than read only
17. FileMaker Server Best Practices
• Remove the sample file from the server
• Hide individual files that are hosted on the server
• List only the databases each user is authorized to access
• Enable SSL and use a signed certificate
• Disable Plug-In installation via a script step
• Restrict access to Admin Console by IP address
• Disable technologies not needed XML, PHP, ODBC
• Enable client timeout
18. General Security Topics
• Interface level security in FM is not real security
• Exports, table view, data viewer
• Sanitize all data gathered on web forms
• Encrypt your hard disk drives
• Review server logs for potential attacks
• Block unwanted IP’s that are trying to brute force their way in
• Send sensitive information via encrypted emails.
• Use 3rd party tools like Virtru to make this easier
19. Security Industry Trends
• Enhanced use of encryption
• Resistance to cloud technology
• Application penetration testing
• Mobile security
• Two step authentication
21. Security Checklist
Check out the post on DB Services website to obtain the
Security Checklist.
https://www.dbservices.com/articles/filemaker-safety-
checklist/
22. Resources
• FileMaker Security Guide
http://www.filemaker.com/downloads/documentation/fm12_security_guide_en.pdf
• An Exploit-Based Approach To Providing
FileMaker Platform Security - Steven Blackwell
• FileMakerTalk Podcast, Episode 103: Security