Security issues with Web Publishing

From 360Works Product Documentation Wiki
(Difference between revisions)
Jump to: navigation, search
(Security Dialog when accessing WPE pages or Zulu)
(SafetyNet and IIS Manager)
 
(3 intermediate revisions by 2 users not shown)
Line 9: Line 9:
 
Sometimes there can be permissions issues or misconfigured security settings if FileMaker Server has been deployed multiple times.  Your web server has its own settings which may not be removed when FMS is redeployed or uninstalled.  FileMaker has posted instructions at http://help.filemaker.com/app/answers/detail/a_id/6454/kw/IIS%20Authentication/session/L3RpbWUvMTMwMzgyNzY0MC9zaWQvQjcxTGxzc2s%3D which can help you clear settings from a previous FileMaker Server deployment which can help resolve these issues.
 
Sometimes there can be permissions issues or misconfigured security settings if FileMaker Server has been deployed multiple times.  Your web server has its own settings which may not be removed when FMS is redeployed or uninstalled.  FileMaker has posted instructions at http://help.filemaker.com/app/answers/detail/a_id/6454/kw/IIS%20Authentication/session/L3RpbWUvMTMwMzgyNzY0MC9zaWQvQjcxTGxzc2s%3D which can help you clear settings from a previous FileMaker Server deployment which can help resolve these issues.
  
On IIS you should also make sure that "Integrated windows authentication" is not checked in Default Site -> Properties -> Directory Security -> Edit.
+
On IIS you should also make sure that "Integrated Windows authentication" is not checked in Default Site -> Properties -> Directory Security -> Edit.
 +
 
 +
==SafetyNet and IIS Manager==
 +
 
 +
Please note: Windows authentication needs to be disabled on IIS manager
 +
 
 +
[[File:SafetyNet-Backup-IIS.png|200px|thumb|left|Screenshot: Disable Windows Authentication on IIS Manager]]

Latest revision as of 23:03, 2 February 2016

[edit] General FileMaker plugin security

You should exercise care when using any FileMaker plugin from within the Web Publishing Engine. This is allowing remote users to execute code on the server machine, which can potentially be used maliciously if you do not guard against that possibility. For example, let's say that you have a file manipulation plugin installed that can read the contents of a file and display it in a FileMaker field. If you create a web publishing interface that allows the user to enter any path for the file to read, they could read any file on the server's hard drive and view the result of that in the web published database.

This does not mean that you should never use plugins with the web publishing - just make sure that you access them through scripts, and that the inputs to these scripts cannot be maliciously manipulated by users accessing your site.

[edit] Security Dialog when accessing WPE pages or Zulu

Sometimes there can be permissions issues or misconfigured security settings if FileMaker Server has been deployed multiple times. Your web server has its own settings which may not be removed when FMS is redeployed or uninstalled. FileMaker has posted instructions at http://help.filemaker.com/app/answers/detail/a_id/6454/kw/IIS%20Authentication/session/L3RpbWUvMTMwMzgyNzY0MC9zaWQvQjcxTGxzc2s%3D which can help you clear settings from a previous FileMaker Server deployment which can help resolve these issues.

On IIS you should also make sure that "Integrated Windows authentication" is not checked in Default Site -> Properties -> Directory Security -> Edit.

[edit] SafetyNet and IIS Manager

Please note: Windows authentication needs to be disabled on IIS manager

Screenshot: Disable Windows Authentication on IIS Manager
Personal tools
Namespaces

Variants
Actions
Plug-in Products
Other Products
Navigation
Toolbox