Security Guide
Table Of Contents
- Chapter 1 About database security
- Chapter 2 Security “Top 10” list
- 1. Enhance physical security
- 2. Enhance operating system security
- 3. Establish network security
- 4. Devise a plan for securing your databases
- 5. Restrict data access with accounts and privilege sets
- 6. Back up databases and other important files
- 7. Install, run, and upgrade anti-virus software
- 8. Test your security measures
- 9. Assess, iterate, and improve security measures
- 10. Upgrade to FileMaker Pro 8 and FileMaker Server 8 for security enhancements
- Chapter 3 Build security into your solutions
22 FileMaker Security Guide
11. If you are hosting web-published databases with FileMaker Server Advanced, you can use
additional security measures like SSL encryption that may be available with your web server
application. For more information, see
“Using Secure Sockets Layer (SSL) security for web
publishing” on page 23. You can also disable the web publishing technologies that you are not
using. For more information, see the FileMaker Server Advanced Web Publishing Installation
Guide
.
12. If you are hosting web-published databases with FileMaker Server Advanced, the Web
Publishing Engine uses certain ports and protocols to communicate with FileMaker Server
Advanced and your web server. You may have to open ports or allow protocols on your host
computers and firewalls. For more information, see the
FileMaker Server Advanced Web
Publishing Installation Guide
.
13. If you are hosting databases with FileMaker Server Advanced and using Custom Web
Publishing with XML, you can test your security from a web browser to see which elements
might be exposed:
• To view the names of the databases that are published on the web with XML, enter this
address in your browser:
http://<ip:port>/fmi/xml/fmresultset.xml?-dbnames
• To view databases published on the web with XSLT, enter this address:
http://<ip:port>/fmi/xsl/stylesheet_name.xsl?-grammar=fmresultset&-dbnames
• To view the fields for a record in your database, enter this address in your browser:
http://<ip:port>/fmi/xml/fmresultset.xml?-db=dbname&-lay=layoutname&-
findany
• To view the script names in a database, enter this address in your browser:
http://<ip:port>/fmi/xml/fmresultset.xml?-db=dbname&-scriptnames
• To view the layout names in a database, enter this address in your browser:
http://<ip:port>/fmi/xml/fmresultset.xml?-db=dbname&-layoutnames
For information on query commands and parameters, see the FileMaker Server Advanced Custom
Web Publishing Guide.
Protecting your databases from web-based attacks
Start by reviewing the security procedures explained in this document. Your host computer is both
your connection to the outside world and, if unprotected, the outside world’s connection to your
internal network. Verify the following:
• For web-shared solutions, especially on the Internet, consider configurations with two (or more)
computers separating the database from the web publishing components, firewalls, SSL and
other standard Internet technologies. This protects access to your files and protects the
communication between web users’ web browser and the server.