10 Replies Latest reply on Mar 2, 2016 9:23 PM by taylorsharpe

    FM_Sample insecure?

    worldcloud

      I have seen that many users say that the FM_Sample file is insecure and that it should be removed from all servers. We typically allow Data Entry access. We realize that it is possible/ likely that users will create bogus/ test records in this file; but it is so easy to script the replacement of this file that it's not a big deal.

       

       

      the reason we like it is that when a client calls with 'Your server isn't working', we can use the FileMaker Technology Test Pages. These are a 'known' standard that clients trust more than custom pages that we have created. We typically attempt to avoid debugging solutions which we don't even have access to. If we can prove that WebDirect (example) is working on the server, then the conversation changes.

       

      if/ when we close this file, Then users have links on a 'FileMaker defined page' (https:serverURL:16000) that no longer works. When a first time user starts to 'play' with these pages, we feel that it is a bad thing for them to find broken links in the first minutes on having their account.

       

      We have some thoughts/ solutions on this topic; but I'm curious to see why the community feels that Data Entry guest access is so dangerous on the FM_Sample file...

       

       

      THanks

       

      Joe

       

      CEO, WORLDCLOUD, inc.

        • 1. Re: FM_Sample insecure?
          taylorsharpe

          The problem is more with having a file on your server with automatic login as Admin with [Full Access] and uncontrolled "File Access" in the Security.  It makes for a great way for people to hack into your data in other solutions on that same server.  But in FMS 14, FileMaker recognized this problem and made a change to the FM_Sample file.  Reference FMS Server 14 Security notes at:  http://help.filemaker.com/app/answers/detail/a_id/14513/~/filemaker-server-14-release-notes

           

          1. Sample files
            1. For FileMaker Server 14, the sample file FMServer_Sample is password protected and the file cannot be changed. Administrator access was removed for security reasons. You may remove the hosted file if you are not using it. If you need a modifiable database for testing or demonstration purposes, use one of the Starter Solutions or your own database.
            2. For FileMaker Server 14, the sample file FMServer_Sample cannot be used to test or demonstrate ODBC and JDBC connections. To test or demonstrate ODBC and JDBC connections, upload your own database.

          This fixed a previously commonly existing security problem with the default Sample File being installed with Server and it not having proper security. 

          • 2. Re: FM_Sample insecure?
            worldcloud

            As I mentioned, we normally 'demote' the auto-login account to 'data entry', so full access is not the issue.

             

             

            even with full access, a user could trash that file- or even compromise server performance, but how does full access privileges affect the security of other users?

             

            with quotas (Windows server) a user is prevented from sucking up all the available drive space, so the other files can 'go on' even if someone does stupid things to the FM_Sample file...

             

            i Know that FileMaker has issued tech note, but they have not specifically defined why...

            • 3. Re: FM_Sample insecure?
              worldcloud

              we demote the fm_samplet file because we have been warned to do it; however, I have not heard what the specific security risk is...

               

              can can a full access user run a batch script or AppleScript on the server? No

               

              can a user import or export via PSOS anywhere but the Documents folder? No

               

              can a full access user link to another file with different credentials? No

               

              can a full access user embed an executable into a external container and execuate that code? No

               

              ----

               

              what is it that this 'full access' user can do that is so dangerous?

               

              ----

               

              I am a FileMaker Certified Developer which has spent a bunch of time working with FileMaker Server. If we are to protect our servers from risks, we need to understand those risks. Most every file that gets hosted has at least one 'full access' user. If there is a security risk to other solutions; this seems like something we should be discussing...

              • 4. Re: FM_Sample insecure?
                CarstenLevin

                I am glad that this test file is available. We use it to test any new server just after setting it up.

                 

                If it was not there we would have to create one:-)

                 

                I would like it to be automatically set with the same password to the admin account that you enter for the server, or to ask for a new password the first time it is opened. Maybe just using the standard FileMaker function for that.

                 

                And the good advice is: Just remove it after installation. Keep it safe for testing at a later time ... with a password:-)

                 

                Best regards

                 

                Carsten

                • 5. Re: FM_Sample insecure?
                  taylorsharpe

                  worldcloud wrote:

                   

                  .....

                   

                  I am a FileMaker Certified Developer which has spent a bunch of time working with FileMaker Server. If we are to protect our servers from risks, we need to understand those risks. Most every file that gets hosted has at least one 'full access' user. If there is a security risk to other solutions; this seems like something we should be discussing...

                   

                   

                  There has been discouragement about discussing the specifics and some of those conversations in the forums have been removed.  But if you had been participating the last several months, there was quite a discussion on it, including a number of posts that have subsequently been taken down.  I hinted at the easy one above (File Access via a [Full Access] from another file by making a TO of it), but there are other vulnerabilities with tools like Apple Script.  That aside, if you follow the FileMaker Security Guidelines, you should be safe.  Most vulnerabilities involve security setups that are not recommended best management practices which includes the recent changes to the Sample file in 14.  If you really want to get into the vulnerabilities, they probably won't discuss them here fully.  Wim Decorte and Josh Ormond are two I would suggest you talk to, but I think they will expect consulting fees for that type of work. 

                  • 6. Re: FM_Sample insecure?
                    worldcloud

                    If the sample file used an auto enter login of Admin and blank, the only way it could pull a TO from another file is if they had the same credentials. If file #2 had three users (Larry, Curley, and Moe) then they would have to provide proper credentials prior to being allowed to create a TO.

                    The presence of a file with Full Access does not grant any 'special access' to the other files on the server.

                    I have been on the forums for years, but I come and go because so much advice is hogwash.

                    I'm not saying you're full of it, but the TO does not seem to be valid and I an 95% sure that Ii can not run a batch script via perform script on server. There is a way via PHP, but now we are talking about something else; however stopping a Windows service can prevent that as well.

                    For the most part, our servers run Windows, so AppleScript is not an issue.

                    We have been following best practices and disabling this file, but so far no one has given a valid security issue. Since this (by inference) the same security issue that makes all shared hosting risky in the eyes of FileMaker, then it should not be a secret.

                    At this stage, it sounds like more fear than facts.

                     

                     

                     

                     

                     

                    Sent from Outlook Mobile

                    • 7. Re: FM_Sample insecure?
                      bigtom

                      Openly discussing known security problems in a public forum is not a good idea.

                       

                      If the sample file is there but has read only access you will be fairly secure. Why not just remove it if you never use it.

                      • 8. Re: FM_Sample insecure?
                        worldcloud

                        We do not debug issues in client solutions. If a user claims that the server is not working we use the FileMaker technology test page as a litmus test.

                        When we remove the file, clients complain about broken links. FileMaker wrote then tests and outlined them in the PDFs. Shouldn't a professionally managed server operate the way FMI describes to new users?

                         

                        Sent from Outlook Mobile

                        • 9. Re: FM_Sample insecure?
                          worldcloud

                          If the solution is to remove the file or demote the full. User account then that deals with 'how to deal with the issue'...

                           

                          Not being able or willing to explain it does nothing to prevent other solutions from having the same issue- not to mention, as a professional aren't you interested in how your database works.

                           

                          Tired of all these people who drink the kook-aid and don't care what's in it.

                           

                          Sent from my iPad

                          • 10. Re: FM_Sample insecure?
                            taylorsharpe

                            I think most of us understand the purpose of the Sample File.  But prior to 14, it had a clear vulnerability for those who know how to exploit it.  Even on 14, after assuring the install is correct and main solution working, I remove the sample file.  At that point, its purposes has been served and it remaining requires the same security attention that all other solutions do on the server.  Since it is usually ignored at this point, it can become a vulnerability.  So why leave a potential vulnerability on the server.