Michael WestendorfSenior Application Developer www.dbservices.com

FILEMAKER SECURITY: PROTECT YOUR DATA

Questions

If you have a question, please typist it into the console. If we

don’t get to your question, please send it to fba@dbservices.com

Overview

• Protecting your FileMaker file

• FileMaker Server best practices

• Basic techniques

• Security industry trends

• Checklist to securing your application

About DB Services

•We are a team of analysts, developers, and designers creating custom applications to make your organization more effective and efficient. Learn more about our FileMaker services on our website.

•If you leave this presentation wanting learn more! Check out our FileMaker Blog where we post new content each month.

•To learn more about DB Services, check out our website at www.dbservices.com

Background

Work

Read more on me on our website, dbservices.com, in the About section

• Sponsor at FileMaker Developer Conference

• Member of FM Academy• Article included in FM Newsletter• Global presence (Canada, Europe,

Africa, Asia)• Team focused on adding value

• Senior Application Developer atDB Services

• Certified in 12, 13, 14, 15• Working with FileMaker for over 10

years

Protecting Your File

• Disable generic Admin full access account

• Enable File Access Restrictions

• Set min version in file options (FileMaker 13)

• Use External Authentication

• Enable Encryption At Rest

Protecting Your File

External Authentication/single sign-on

• Your organization already uses Active Directory or Open Directory

• Your FileMaker files will be accessed by other files in a multi-file solution.

• Your organization enforces minimum password standards. FileMaker can only enforce password length and frequency of changing password.

• Note: Possible for someone to replicate your security group and gain access to data

Protecting Your File

Encrypt your file using a password phrase

• Secures the file against domain replication

• Prevents the file from being cracked with third party tools

Protecting Your File

Privilege Sets - Data Access and Design

• Records• View, Edit, Create, Delete• Individual fields • Access to FM calc engine

• Layouts• View, Edit existing layouts• Limit creation of new layouts• Disable record access

• Value Lists• View, Edit existing lists• Limit Creation

• Scripts• Execute or Edit• Limit creation

Protecting Your File

Privilege Sets - Extended Privileges

• Limits how file is accessed• Network, WebDirect, ODBC,

XML, PHP

• You can create your own to further extend your application.

Protecting Your File

Privilege Sets - Other PrivilegesLimits access to

• Printing

• Exporting

• Manage extended privileges

• Allow user to override data validation warnings

• Disconnect Idle users

• Allow users to modify passwords

• Password Requirements

• Limiting menu commands

Demo

Best Practices

• Encrypt sensitive data at field level by use of plug-inshttp://www.dbservices.com/articles/filemaker-encryption-with-baseelements

• Limit Plug-Ins

• Prevent unwanted access from FM Advanced (Data Viewer)

• Use guard clauses to prevent scripts from executing

• Disable unnecessary layout modes, especially table view

• Don’t use global variables as security flags/booleans

Best Practices

Custom Account Management

• Awareness of Find behavior

• Using Snapshot links

• Create a custom No Access privilege set• More restrictive than read only

Demo

FileMaker Server Best Practices

• Remove the sample file from the server

• Hide individual files that are hosted on the server

• List only the databases each user is authorized to access

• Enable SSL and use a signed certificate

• Disable Plug-In installation via a script step

• Restrict access to Admin Console by IP address

• Disable technologies not needed XML, PHP, ODBC

• Enable client timeout

General Security Topics

• Interface level security in FM is not real security• Exports, table view, data viewer

• Sanitize all data gathered on web forms

• Encrypt your hard disk drives

• Review server logs for potential attacks• Block unwanted IP’s that are trying to brute force their way in

• Send sensitive information via encrypted emails. • Use 3rd party tools like Virtru to make this easier

Security Industry Trends

• Enhanced use of encryption

• Resistance to cloud technology

• Application penetration testing

• Mobile security

• Two step authentication

Security Industry Trends

Application penetration testing• Input Validation• Buffer Overflow• Cross Site Scripting• URL Manipulation• SQL Injection• Hidden Variable Manipulation• Cookie Modification• Authentication Bypass• Code Execution

Security Checklist

Check out the post on DB Services website to obtain the Security Checklist.

https://www.dbservices.com/articles/filemaker-safety-checklist/

Resources

• FileMaker Security Guide http://www.filemaker.com/downloads/documentation/fm12_security_guide_en.pdf

• An Exploit-Based Approach To Providing FileMaker Platform Security - Steven Blackwell

• FileMakerTalk Podcast, Episode 103: Security

Q&A