Security Checklist

How secure is your FileMaker solution?

AppWorks attended the PauseOnSecurity conference in October of 2018, which ignited our passion for security. The conference findings were surprising, and we learned that many servers and databases previously thought secure are not. We also learned how to secure them.

To help the community, we created this Security Checklist as a means for businesses to evaluate their own security settings and risks. The list below is not exhaustive, but does cover many of the most common risks and settings that can compromise database security.

For a complete audit of your database’s security settings, contact eleanor@app.works. For this audit, we use the entire 50+ item checklist.

These are the top items ranked by severity and relative risk in the areas of the Server OS, FileMaker Server settings, and your FileMaker database.

Server OS

1. Are the key usernames on your server unique and not easily identifiable (e.g. “Hari Seldon” instead of “Admin”)?

For the OS-level accounts on the server, avoid the following user names:

Admin

Administrator

Dev

Developer

FMS Admin

Local Admin

Common usernames are often used in automated tools by hackers. If your username is something more unique, such as ‘ABCtech-admin’ it is much less likely to be hacked than a common username like ‘Admin.’

2. Is server in a physically secure location?

A FileMaker Server should be located in a secured room with only authorized individuals permitted access. The server should be password protected, and primary and secondary backups should be secure.

This is one area where cloud servers are actually more secure than on premises servers, because cloud facilities, like AWS, have extremely strong physical security.

In addition to considering physical theft of the server or backup media, also consider the server’s risk of fire, flood, or other damage; this all falls under physical security.

3. Is your server desktop locked with a secure password?

Server desktop should be locked with a secure account name and password. For example, an account name like Hari Seldon and a password like these: LeQaDWzuRyR-cp6vXAG{ex_M or cataract-sensory-masque-outflow-pundit-stand.

These are secure because of the most important aspect: length of password.

Consider using a different account name and password for the server admin account, the FileMaker server console, and the FileMaker database for highest security. After doing server maintenance, log out of the server so that it’s always left on a lock screen.

4. Do you have an offsite location for your backup files that is separate from your primary server?

Secure offsite backups in case of theft, fire or other disaster. If your primary database is Encrypted at Rest (EAR), then all backups are also encrypted, which greatly increases their security.

FM Server

5. Do you have a custom TLS/SSL Certificate?

It is highly recommended that you install a TLS/SSL certificate, which is a valid, non-expired certificate issued by a reputable certificate authority and supported by FileMaker Server.

This is especially important if your database is accessible to the outside world without VPN, such as if the database is hosted with a vendor or FileMaker Cloud.

Read here about importing an SSL certificate.

6. Is the Remote Desktop port blocked on the FileMaker server machine?

Using a network firewall, or firewall software on your server, block Remote Desktop access port 3389 on your Windows Server, or port 5900 for VNC on the Mac. This port is a common attack vector.

Whitelist specific IP addresses in your firewall so the users that need to administer the server can do so.

It’s also possible to use alternate (random) port numbers for these services, which provides even better security, though this can be difficult.

7. Are additional features such as WebDirect and the Data API only activated when in use?

Only enable services that are actually needed, such as WebD, XML, PHP, Data API, etc. No service or account should be enabled unless you actually need it.

FM Database

8. Have you disabled automated logins?

In the File Options dialog of your database, disable ‘Log in using’ with specified username and password.

This box is checked by default for a FileMaker database, and the account name is Admin with no password. These are insecure settings that should be changed when you begin development.

9. Do you take full advantage of FileMaker Privilege sets to control your security at the layout, script, table, or record level?

Using FileMaker native Privilege sets to control what users can see is much more secure than using other methods, such as testing for a user name in a script before navigating to a layout.

Avoid using the [Data Entry Only] and [Read-Only Access] groups, because these don’t allow any custom controls.

Greatly restrict the number of users in the [Full Access] group, but ensure there are always at least two users (in case one of you wins the lottery).

10. Do you have an internal audit system such as fmLog to track user logins, changes and deletions?

Use fmLog to track user logins and changes made. This is a free AppWorks utility.

Other log systems are also acceptable. The objective is to track user activity such as login and logout, record view, record deletion, script execution, etc. While this doesn’t actually prevent access to confidential data, it’s a key way to show what actually happened.

11. Have you checked the box that requires a specific and recent FileMaker version to open your database?

In File Settings, require FM17 (or 15 at the very least). This prevents older versions of FileMaker from opening the file. Newer versions of FileMaker have stronger security, so this is a simple way to increase security.

12. Examine all accounts and privilege sets in each database. Does each user (especially Full Access users) have a password?

Regularly audit all users and privilege sets to ensure that users can only see what they should be able to see. Create test user accounts to simulate user activity, and disable these accounts when testing is complete.

13. Have you enabled File Access Restrictions in Manage Security Settings?

In the Manage Security dialog, the last tab is called ‘File Access’ and has just one checkbox, which is not checked by default. CHECK THIS BOX.

This feature prevents users with low level access from linking a different database to your database, and viewing data that they should not be able to see.

This does not increase security for users that don’t have an account in your database, but does restrict what all non-Full Access users can do with your database.

If you answered no to any of these questions, you may desire a full Security Audit from AppWorks. Email eleanor@app.works or call (503)616-9422 for scheduling.