Archives March 2019

Security Checklist

How secure is your FileMaker solution?

AppWorks attended the PauseOnSecurity conference in October of 2018, which ignited our passion for security. The conference findings were surprising, and we learned that many servers and databases previously thought secure are not. We also learned how to secure them.

To help the community, we created this Security Checklist as a means for businesses to evaluate their own security settings and risks. The list below is not exhaustive, but does cover many of the most common risks and settings that can compromise database security.

For a complete audit of your database’s security settings, contact For this audit, we use the entire 50+ item checklist.

These are the top items ranked by severity and relative risk in the areas of the Server OS, FileMaker Server settings, and your FileMaker database.

Server OS

1. Are the key usernames on your server unique and not easily identifiable (e.g. “Hari Seldon” instead of “Admin”)?

For the OS-level accounts on the server, avoid the following user names:





FMS Admin

Local Admin

Common usernames are often used in automated tools by hackers. If your username is something more unique, such as ‘ABCtech-admin’ it is much less likely to be hacked than a common username like ‘Admin.’

2. Is server in a physically secure location?

A FileMaker Server should be located in a secured room with only authorized individuals permitted access. The server should be password protected, and primary and secondary backups should be secure.

This is one area where cloud servers are actually more secure than on premises servers, because cloud facilities, like AWS, have extremely strong physical security.

In addition to considering physical theft of the server or backup media, also consider the server’s risk of fire, flood, or other damage; this all falls under physical security.

3. Is your server desktop locked with a secure password?

Server desktop should be locked with a secure account name and password. For example, an account name like Hari Seldon and a password like these: LeQaDWzuRyR-cp6vXAG{ex_M or cataract-sensory-masque-outflow-pundit-stand.

These are secure because of the most important aspect: length of password.

Consider using a different account name and password for the server admin account, the FileMaker server console, and the FileMaker database for highest security. After doing server maintenance, log out of the server so that it’s always left on a lock screen.

4. Do you have an offsite location for your backup files that is separate from your primary server?

Secure offsite backups in case of theft, fire or other disaster. If your primary database is Encrypted at Rest (EAR), then all backups are also encrypted, which greatly increases their security.

FM Server

5. Do you have a custom TLS/SSL Certificate?

It is highly recommended that you install a TLS/SSL certificate, which is a valid, non-expired certificate issued by a reputable certificate authority and supported by FileMaker Server.

This is especially important if your database is accessible to the outside world without VPN, such as if the database is hosted with a vendor or FileMaker Cloud.

Read here about importing an SSL certificate.

6. Is the Remote Desktop port blocked on the FileMaker server machine?

Using a network firewall, or firewall software on your server, block Remote Desktop access port 3389 on your Windows Server, or port 5900 for VNC on the Mac. This port is a common attack vector.

Whitelist specific IP addresses in your firewall so the users that need to administer the server can do so.

It’s also possible to use alternate (random) port numbers for these services, which provides even better security, though this can be difficult.

7. Are additional features such as WebDirect and the Data API only activated when in use?

Only enable services that are actually needed, such as WebD, XML, PHP, Data API, etc. No service or account should be enabled unless you actually need it.

FM Database

8. Have you disabled automated logins?

In the File Options dialog of your database, disable ‘Log in using’ with specified username and password.

This box is checked by default for a FileMaker database, and the account name is Admin with no password. These are insecure settings that should be changed when you begin development.

9. Do you take full advantage of FileMaker Privilege sets to control your security at the layout, script, table, or record level?

Using FileMaker native Privilege sets to control what users can see is much more secure than using other methods, such as testing for a user name in a script before navigating to a layout.

Avoid using the [Data Entry Only] and [Read-Only Access] groups, because these don’t allow any custom controls.

Greatly restrict the number of users in the [Full Access] group, but ensure there are always at least two users (in case one of you wins the lottery).

10. Do you have an internal audit system such as fmLog to track user logins, changes and deletions?

Use fmLog to track user logins and changes made. This is a free AppWorks utility.

Other log systems are also acceptable. The objective is to track user activity such as login and logout, record view, record deletion, script execution, etc. While this doesn’t actually prevent access to confidential data, it’s a key way to show what actually happened.

11. Have you checked the box that requires a specific and recent FileMaker version to open your database?

In File Settings, require FM17 (or 15 at the very least). This prevents older versions of FileMaker from opening the file. Newer versions of FileMaker have stronger security, so this is a simple way to increase security.

12. Examine all accounts and privilege sets in each database. Does each user (especially Full Access users) have a password?

Regularly audit all users and privilege sets to ensure that users can only see what they should be able to see. Create test user accounts to simulate user activity, and disable these accounts when testing is complete.

13. Have you enabled File Access Restrictions in Manage Security Settings?

In the Manage Security dialog, the last tab is called ‘File Access’ and has just one checkbox, which is not checked by default. CHECK THIS BOX.

This feature prevents users with low level access from linking a different database to your database, and viewing data that they should not be able to see.

This does not increase security for users that don’t have an account in your database, but does restrict what all non-Full Access users can do with your database.

If you answered no to any of these questions, you may desire a full Security Audit from AppWorks. Email or call (503)616-9422 for scheduling.

Tulum is the site of Pause[X]Include


Our tickets are booked for Pause[X]Include in a few weeks in Tulum, Mexico! We’re beyond excited to attend, speak and learn from other developers from across the nation. We love networking with FileMaker firms large and small, and we can’t wait to see our peers from the community! From AppWorks, we are sending CEO Matt Navarre, President Kimberly Carlson, and Senior Developer David Weiner.

All AppWorks staff in attendance will present at Pause[X]Include. Matt will present on deploying a custom web server on AWS. Kimberly will speak to Project Management, specifically on how to say no to a client, and David will speak to the integration of FileMaker and Airtable. We are eager to share our knowledge of these topics with the FM Community, and also enthused to learn from other developers’ presentations.

AppWorks attended the previous Pause conference, PauseOnSecurity, and the findings from that week have been invaluable to our proceedings ever since. We hope to attend and contribute to a similarly excellent conference at Pause[X]Include in a few weeks.

Please find us and say hello in Tulum, and pack sunscreen! We can’t wait to grow and learn with the FileMaker Community, and hope to be a friendly face in the crowd for all developers, both new and experienced.

¡Hasta pronto!

Non-editable text selection in FileMaker

How to protect data in fields from being edited, while still allowing the fields to be selected for copy / paste functionality.

One of the features that makes FileMaker so easy to use for data entry is that there’s typically very low friction between the user and the data. Specifically, fields on a FileMaker layout are usually just open and ready for editing. This makes it simple to just dive in and enter data, but the flip side of this low-friction environment is that critical data can sometimes be edited by mistake. As soon as the user moves off the record to “commit” the changes, your data is changed permanently.

FileMaker offers several methods to protect field data from being edited; The most common (and simple) is just unchecking the option for field entry in Browse Mode in the inspector:

Another common method is through the use of merge text on a layout. A third popular method to protect data from being edited on a layout is by using a calculated button bar segment. This works very well, and has the added benefit of enabling you to dynamically change and format the data.

But what if you want to select the data, copy it, and paste it elsewhere, but still protect it from being edited? This a familiar problem — users want to copy an entire address block, or an email address, or whatever, and paste it into an email or a document, but are unable to select the text.

There are three ways of making field data selectable, but not editable:

  1. Create a privilege set to prevent editing of the data
  2. Create a calculated field that displays the data
  3. Use HTML-formatted data in a webviewer to display the data


If you set up a privilege set in FileMaker’s “manage security” settings, and then apply it to user accounts, you can effectively prevent users from editing fields under various circumstances. If, for example, you were to create a calculation (at the field level) that says a field can only be edited when a “Locked” boolean field is unchecked, then the user can select that field on a layout, but will be unable to edit the data unless that boolean field has been unchecked. The advantage here is that you can control the editing of data by user privileges, and so some users may be able to edit, while others may not. The downside is that it can become complicated to edit the user privileges at the field level, particularly if you have a large number of fields to deal with.

Calculation Fields

Setting up specific fields to replicate the data in editable fields will enable you to place any number of these fields on a layout and allow them to be selected without any ability to edit the data. Period. It’s easy to set up (you just take a field called “Name”, for example, and create a new calculation field called “cName” that simply calculates the “Name” field), and it requires no special privilege setups. However, the downside here is that you have to add new fields to your system. For just a few, this may be fine, but it’s not necessarily practical to duplicate many fields as calculated fields, just to allow for copying and pasting. On the other hand, you can do things like calculate an entire address block including spaces, carriage returns, and formatting all in a single calculation field and display that:

The above calculations display a nice, neat, formatted name and address block:

HTML in a Webviewer

This method works quite nicely, although it requires some knowledge of and comfort with coding HTML. It involves using HTML inside of a Webviewer to display data from fields, formatted as needed. Instead of putting some fields on a layout to display address data, you instead put a webviewer in that block, formatted to show the data as a small web page:

If you’re comfortable building HTML pages, then this is a good way to go, although data in Webviewers can load more slowly than native FileMaker layouts. There are also some formatting settings that need to be adjusted for a Webviewer object so that it seamlessly matches your layout. Specifically, you’ll want to turn off the progress bar and status messages, plus you may want to remove any fill colors and outlines from the object style.

As with any development platform, there are many ways to “skin a cat”, but sometimes it may be difficult to figure out which way is the right way. Hopefully, you’ve gained some new “cat-skinning” tricks from this!

Please don’t actually skin a cat. It’s just a figure of speech.

Training Classes Offered in May

We have received interest in upcoming FileMaker trainings, and we are thrilled to announce the return of our FileMaker training classes! This upcoming May, we are offering a training series for intermediate to advanced FileMaker developers. These classes will be taught by Matt Navarre, expert developer and owner of AppWorks.

The courses will be offered in a four-part series, where classes can be bought individually, or in a package deal for a total savings of $200. Each 4-hour class will be from 1-5PM on Wednesday afternoons in May. Each individual class is $400, with the package deal including all four classes for $1400. These classes can be purchased online.

Class 1 will focus on data tables and relationships. Topics covered during this class include types of relationships, identifying relationships, working with complex relationships, using external data sources, and more.

Class 2 delves into FileMaker layouts, and will include instruction on linking layouts to specific table occurrences, using portals to display data, using the chart object and additional topics.

Class 3 is a scripting-focused class. Topics such as creating and editing scripts, script triggers, perform scripts on server, scripting Tools, script Debugger and more will be taught.

Class 4 is a class dedicated to server setups for both internal and web connections. Web publishing server settings, WebDirect server settings, encryption at rest and other server encryptions to watch out for, and server admin console settings will all be covered in-depth. Class descriptions detailed here are not complete – please read full class details in the store section of our website.

Please let us know if there are any additional topics you would like to see covered in a class, or if you are unsure of your abilities. We are more than happy to work with you and assist with placement in our training classes. We want to challenge you, but we want you to understand everything you learn. Ultimately we want these classes to give you the tools you need to develop successfully.

Please also email if you are interested in FileMaker training, but seeking a more basic class offering for beginner developers. We would love to host a class series for beginners and will begin the scheduling process if there is sufficient interest.

New Service: Module Implementation

We are debuting a brand-new service offering that can be purchased in our online store. AppWorks will now install one of our downloadable modules into your solution, so that our clients can reap the benefits of our popular modules without the development hassle. We are offering this service for fmLog, fmSearchResults and fmRecentRecords. We’d recommend this option for beginning-level developers who may be uncomfortable fully integrating one of our modules on their own, but want enhanced functionality in their database.

Services Offered

Our implementation services vary based on the nature of the module. For fmLog, we will add logging functionality into a solution, for up to ten fields. For fmRecentRecords, we will add a history to the dashboard for up to 5 tables. fmSearchResults’ integration will completely integrate the module within your solution.

Our goal with our new integration offering was to offer our clients enhanced functionality from these modules, with no FileMaker expertise required. AppWorks’ integration services will ensure that the module is working properly and to its fullest capacity within your solution. Our integration services will save our clients time and effort so that they can focus on their business, not their database.

Additional Help

These integrations can be purchased alongside our modules, in our new store section of the AppWorks website. Our modules and module/integration packages can be found here. The online purchase of the integration will include the module itself and a designated block of time for the integration, which will be scheduled via email. We hope you find this offering helpful, and we can’t wait to help you get the most out of your solution. If you aren’t sure which integration(s) would benefit your company the most, reach out to and we can help make recommendations for your specific solution.