AnsweredAssumed Answered

Insecure Servers and Files: A Cautionary Note

Question asked by shblackwell on Jul 9, 2018
Latest reply on Jul 10, 2018 by bigtom

Colleagues:

 

I am sorry to have to report that I have learned that a number of developers may still be hosting files on FileMaker Server that automatically open without credentials challenge to [Full Access] privileges. This is a dangerous practice. Depending on the version of FileMaker Server in use, it can be quite dangerous and inimical to the safety of your files or those of your clients if you are hosting for them.

While later versions of FileMaker Server have taken steps to inhibit, constrain, and otherwise discourage this behavior, nevertheless it is still possible to host such files.  Doing so introduces a number of vulnerabilities (again, dependent on the version):

  • Exfiltration of files by unauthorized persons, possibly surreptitiously.
  • Infiltration of unauthorized files, including executable ones, onto the server.
  • Attacks against other servers using the auto-open, full access file on your server.
  • Instigation of processes that consume large portions of available server resources.

 

 

I would strongly recommend assigning credentials to all hosted files, and not allowing any file automatically to open to [Full Access].  Your server may well be easily discoverable and compromised. Frequent review of the Server Access Log is also a good idea.

 

Respectfully,

 

Steven H. Blackwell

Platinum Member Emeritus, FileMaker Business Alliance

Outcomes