Security Guide
Table Of Contents
- Chapter 1 About database security
- Chapter 2 Security “Top 10” list
- 1. Enhance physical security
- 2. Enhance operating system security
- 3. Establish network security
- 4. Devise a plan for securing your databases
- 5. Restrict data access with accounts and privilege sets
- 6. Back up databases and other important files
- 7. Install, run, and upgrade anti-virus software
- 8. Test your security measures
- 9. Assess, iterate, and improve security measures
- 10. Upgrade to FileMaker Pro 8 and FileMaker Server 8 for security enhancements
- Chapter 3 Build security into your solutions
20 FileMaker Security Guide
Web publishing security considerations
FileMaker Pro software enables you to publish databases to your intranet or the Internet, so that
users can browse, search, and update the databases using web browser software. This introduces
more risk than sharing files with other FileMaker
Pro clients.
Tips and considerations when designing databases for web publishing
1. Define accounts and privilege sets.
• Protect all files with user names and passwords. You can use the Guest account, which logs
in with a default user name and password, if it’s not practical to use unique accounts for
clients. However, this makes your file available to anyone who has the IP address or domain
name of the computer hosting the database.
• Assign privileges to modify data and database structure only if necessary.
• Enable only the required web publishing extended privileges. For example, if you are only
using Custom Web Publishing with XSLT, enable its extended privilege in the appropriate
privilege sets, but leave other web publishing extended privileges disabled.
2. If you are converting solutions from pre-7.0 releases, note that the Web Security Databases are
no longer supported. You must transfer the accounts, passwords, and associated privileges into
your converted database files in FileMaker Pro. See
Converting FileMaker Databases from
Previous Versions
for more information.
3. For increased security, FileMaker Pro clients can no longer publish remotely accessed databases
on the web. You can only publish files on the web from the host computer.
4. In Instant Web Publishing, you are no longer limited to predefined layouts for viewing data. All
layouts are available to web users, based on their accounts. You can restrict layouts for accounts
with privilege sets, but you should not rely on layouts for security. Manage access to data with
tables, records, fields, scripts and value lists for the best security.
5. If Instant Web Publishing clients do not click the Instant Web Publishing Log Out button or
execute a script that includes the Exit Application step, the connection to the database is still
active. Data may be accessible to other web users or users might be prevented from accessing
the file. In addition, web users should quit the browser to clear the account information from the
web browser cache file. For more information, see the
FileMaker Instant Web Publishing
Guide,
located in the Electronic Documentation folder (inside the English Extras folder).
6. Select Don’t display in Instant Web Publishing homepage in the Sharing dialog box to suppress a
filename from appearing in the built-in Instant Web Publishing Database Homepage. This is
useful if your solution includes multiple files and you don’t want all the filenames displayed.
This feature should not replace defining accounts and privileges in files.