I'm trying to limit the ability for user accounts to be created. My host has noticed spam activity on my account and has suggested that it is being generated by accessing the user account creation script directly.
When I try to access that feature in Drupal 7, the Setting tab doesn't render correctly. Fields and Display tabs function correctly.
Screen Snap
If your host is right about the script being accessed directly, then your site might be hacked.
Since you also have problems with rendering of the settings tab, I would execute these steps in this order:
Follow the instructions for updating Drupal, starting with backup of
the database and the files:
https://www.drupal.org/docs/7/updating-your-drupal-site/update-procedure-minor-version-change
Set secure permissions for files and folders: https://www.drupal.org/node/244924
The second step alone might help stopping the user creation by direct access to the script, but it will not get back the original settings tab.
In back-end go to Configuration -> People -> Account settings. There is a section Registration and cancellation and Who can register radio buttons group where you can forbid anonymous user create account. If that's already set well and people are still registering then it really is possible that your site has been hacked.
Related
We have a number of webpages that employees can access. I have a table, in a database, which determines who can access the individual pieces.
I use HttpContext.Current.User.Identity.Name, to get the current username, and then determine whether they are allowed to access the page they are requesting. If not, they are redirected to an access denied page, which has contact details where they can request access.
This is been working for months and is still working for everybody, except me! As well as my usual active directory account, I have what we call a developer account to login to servers et cetera. When I run the webpages on my PC, either through visual studio or IIS, I have determined that it is working because it is using my standard active directory account.
I am not aware of making any changes. I was actually just going through the pages as part of a documentation exercise.
However, as soon as I try to browse the pages on the server, it appears to be using my developer account! How do I know this? Firstly, I have built a test page that displays the current username. Secondly, I have an audit table, which records who try to access what page, when and whether they were allowed access.
Yes I could add my developer account to the users table but that would obviously not be my preferred solution. I have been working on something else for the past few days (nothing to do with this) and based on the audit table, I think this problem started today.
Any ideas?
I've built an app in App Maker and deployed it, but the user I thought I had given permission to is getting this notification "Sorry, you don't have access to this application."
In the app, I added a role to the data source and added the user to the role from the deployment. I also added the role to each page's security. I verified that App Maker is turned on for all of our users. I've ensured that the user has access to the Google Sheet data tables (both what I imported into the App for preview and the data I exported from the deployment). I've even added the user as a Cloud Sql Viewer in our Cloud SQL instance (don't know if that was necessary). This is my first app and I feel like I'm flying blind. I'm obviously missing something but can't figure out what. Any help is much appreciated!
Make sure all the required models can be accessed by the role you assigned to the user.
If the user has another Google account in the same Chrome session, the browser may be switching them to this external user when opening the app. Sign-out from that account or try incognito.
Make sure the deployment has no restriction as shown here; or if it does, allow the username.
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
I've worked in D6 for quite a while, and am just now dipping my toe into D7. I've got the basic installation working on my server and all's well; the only thing I don't understand is whether I should be bothered that admin/reports/status is telling me that Node Access Permissions are disabled. I understand that NAPs are nothing new to D7, and I've had occasion to rebuild the permissions once or twice in the past. But the new admin page calls out the disabled status explicitly, so I'm now wondering about stuff I hadn't wondered about before:
What does it mean for these to be disabled (I'm logged in as user 1, if that matters)?
Should I try to reconfigure the system or my server to get them enabled? What would I gain by having them enabled?
Thanks!
Everything should be perfectly fine.
That only means that you are not using any module that is declaring node permissions so all nodes are visible for users with the view content permission.
Don't know if it's perfectly fine, but on my drupal site, since I upgraded to 7.2 (a security update it said) spammers are able to create new users (even though it's reserved to administrators now and the 2 only administrators did not login in between), create post with spam HTML links every day by the dozen!
Here is what it says on the status report:
Node Access Permissions Disabled
If the site is experiencing problems with permissions to content, you may have to rebuild the permissions cache. Rebuilding will remove all privileges to content and replace them with permissions based on the current modules and settings. Rebuilding may take some time if there is a lot of content or complex permission settings. After rebuilding has completed, content will automatically use the new permissions. Rebuild permissions
When I rebuild permission, it takes a few seconds only and the same message appears.
I am in the process of moving my drupal site to a new IIS server. I had it running perfectly on one server. I disabled all non-core modules, turned off clean urls, put the site in maintenance mode and moved the files and database to my new server. I am able to bring the new site up fine. I can view the main page as well as other content. I can even create new content.
However, whenever I try to access the admin page, I am getting a 500 error on the server. I am not getting anything in the server logs to indicate what the problem might be. Does anyone have any idea what might be going on?
Thanks for any thoughts.
Is the menu router menu system not rebuilt correctly?
Try getting to the Modules page, Menu page, or run cron.
There could be many reasons why you cannot access the administrative pages, including the fact the database tables have not been correctly moved.
Check the content of the table users, and verify the user account for the "super user" (the one with user ID equal to 1) has still the user ID equal to 1. That is a particular user that has automatically any permission; if the user ID is not 1 anymore, then the account becomes a normal user account, and it needs to be expressly allowed to do anything.
you don't need to disable clean urls, this is how your enable them in IIS:
http://learn.iis.net/page.aspx/505/install-drupal-on-iis/
could be something to do with clean urls, i also had this problem when recently removing my website to IIS, clean url's fixed this issue!