Security Guide
Table Of Contents
- Chapter 1 About database security
- Chapter 2 Security “Top 10” list
- 1. Enhance physical security
- 2. Enhance operating system security
- 3. Establish network security
- 4. Devise a plan for securing your databases
- 5. Restrict data access with accounts and privilege sets
- 6. Back up databases and other important files
- 7. Install, run, and upgrade anti-virus software
- 8. Test your security measures
- 9. Assess, iterate, and improve security measures
- 10. Upgrade to FileMaker Pro 8 and FileMaker Server 8 for security enhancements
- Chapter 3 Build security into your solutions
Build security into your solutions 19
Tips for creating effective passwords
• Secure passwords are more than eight characters in length, and include mixed upper and
lowercase letters and at least one numeric digit. Consider combining two unrelated words, and
swapping letters out for numbers, for example, b0att!me (swapping a zero for “o” and an
exclamation point for an “i”).
• If files are web-published, account names and passwords should only use printable ASCII
characters, for example a-z, A-Z, and 0-9. For more secure account names and passwords,
include punctuation characters such as “!” and “%,” but do not include colons. If you’re hosting
databases with FileMaker Server Advanced, enable SSL encryption.
• Passwords are less secure when they include strings that are easily guessed, such as names
(especially the names of family and pets), birth dates, anniversary dates, and the words
password, default, master, admin, user, guest, client and similar standard terms.
• Change passwords frequently, perhaps every 30 or 90 days.
• Use passwords only once.
• Wherever possible, assign a unique password for each user. If you must share user accounts, be
sure to change the password regularly.
• Do not record your passwords in a master file or list unless the file or list is well secured.
• Do not share user accounts with other users; users should only receive account names and
passwords from file administrators.
Considerations when hosting files with FileMaker Server
Keep the following points in mind when hosting databases with FileMaker Server:
• If you enable remote access, be sure to require a password. See the FileMaker Server online Help
for more information.
• Store FileMaker Pro files on a local server (not on network directories). One of the most
important performance factors is reading and writing data quickly to disk.
• Disable file sharing or ensure that files hosted by FileMaker Server cannot be accessed directly
by users. If a FileMaker
Pro file can be copied from a file server, it is vulnerable to attack “off
line.” For example, group names for accounts authenticated with the external server feature are
stored as text strings. If the group name is reproduced on another system, the copied file can be
accessed with the privilege set assigned to the members of the group, which might expose data
inappropriately. For more information, see
“Security enhancements in FileMaker Server” on
page 15.
• Suppressing a filename in the Open Remote dialog box, or the Instant Web Publishing Database
Homepage is not a replacement for using accounts and privileges to protect a file.
• FileMaker Server command line interface (CLI) commands can include account names and
passwords. Make sure that unauthorized users cannot view passwords that are part of CLI
commands typed onscreen. To limit access to script files and batch files that contain CLI
commands with passwords, use the file ownership and permissions features of your operating
system.