I'm setting up AD FS on Windows Server 2012 R2. I would like to enable the update password feature, but without joining the devices to workplace. Microsoft has stated it's a requirement, in this article
http://technet.microsoft.com/en-us/library/dn280950.aspx
But I'm wondering if there way to skip the workplace join, as some devices are already joined to another domain
Microsoft has published a hotfix allowing this now:
http://support.microsoft.com/en-us/kb/3035025
Related
We have a ASP.NET web application with SQL Server 2008 R2 as the backend.
Our client wants the application hosted on their servers to which they will have full administrative access.
I have 2 questions:
1 - Is there any good way of restricting their access to the back-end database.
2 - Are there any tools (free or cheap preferably) to monitor if anyone has logged into the database from outside the application ?
Many Thanks.
Regards
In answer to your first question:
If they have full admin access to the server, they're going to be able to do whatever they want with the databases on it. However you can still add auditing to the server, if you can trust them not to tamper with that. I'd suggest making it a condition of the support you provide them, to not make changes to the database directly.
In answer to your second question:
SQL Server Auditing - can be used for instance and database level auditing.
For more information, this is a pretty good guide with examples of how to set it up:
http://bradmcgehee.com/2010/03/30/an-introduction-to-sql-server-2008-audit/
This also gives even more information on how it works and examples:
http://msdn.microsoft.com/en-us/library/dd392015%28v=sql.100%29.aspx
I have experience developing software and web applications and I have decided to do some freelance work on the side. Well, I met with my first client and they are requesting a relatively simple, custom system that (without being long winded) tracks client’s paperwork as it progresses through the business’s different manual processes. It is a small business that has about 10 employees, but all of the employees will interact with the client’s paperwork, therefore everyone would need access to the new system. When I say ‘track’ I literally mean that the employees will ‘check as complete’ on a simple page the increases a progress bar at different stages for the paperwork. Now I am %110 capable of coding the custom system that meets their needs, but I am unsure about how I should go about doing it.
The information that is being tracked in the new system and stored in the DB is confidential information that they are very protective of. My main question is how should I be developing this to be as secure as I can?
-They have their own server in house, so should I develop an application (VB and SQL) for the server and require employees to log on remotely to use it? Can more than one person access/use the application at a time?
-Or should I develop a web application (ASP.Net/VB and SQL) that is only accessible on their network to their employees? They plan to expand offices, could they set up a VPN to access the site?
I’m leaning towards a web application, but I have not done too much in term of security. Basically I’m looking for pros and cons for either option or any suggestions on what I should.
PS, stackoverflow is awesome! Long time user, first time poster!
If you want to develop using vb & sql you have to consider that:
You need to have real ip
Your system will communicate threw certain port and you have to handle the security measure for letting certain port opened in your server.
You should have good knowledge in network programming
If you want to develop using asp.net you have to consider that:
in case only office employees will use the system, you can develop against users in Active Directory and for outside users with username and password with SSL connection or vpn
for preventing more than one person access the file you can simply add column 'locked' in case file is being used.
Well im not a web fan (I suck) ive seen too many security issues go with it...i.e Lulzsec, but i do very much love VB apps.
So I would definetely recommend a VB app connected to a MSSQL database (coz it's easy to configure and havent seen any security exploits yet),my Chinese friend told me there is a way to access MySQL free databases.Now, allow remote access but make sure your Windows Firewall is also configured properly do look at all angles of security.
If I remember well there is an option in MSSQL to specify the IP addresses or is it MAC addresses that can access the DB so maybe input all of the 10 employees' IP addresses assuming they are static,if they are dynamic (DHCP) don't bother. And ask them to make the IP address of the server where you will host the DB on static.
If only 10 employees use the DB then limit the connections to 10. For now develop this when it comes to VPN you can make a Remote version of the App im sure that will come later right now focus on the basics. Also use Dotfuscator when you are publishing the app I heard it is very good.N also im suggesting the document/work order is received at the reception so that user will check in the document with specifics...if they are passing on the work order to the next user they should select the user and then THAT user may enter some sort of verification code unique to the user...im sure you can envision the rest from here. Now do I also get a cut from this?lol
I've been doing the same for years now, and I always take the website side, this days I go width ASP.NET MVC 4, it's easier, everything in their place and extremely easier to test and maintain.
The web application has a very big advantage to any standalone windows application, you deploy and upgrade only one application instead to maintain all the different versions once you start deploying windows apps, and they are harder to debug once you start to having different machines with different versions and so on...
so, Web or Win app = Web app, always!
All you need is a server that run IIS and set it up for using Active Directory (Visual Studio has that project already, simply create an ASP.NET MVC and choose the "intranet" template), it will set up everything for you, and all you need later is tweak the Active Directory connection string.
I also use a self-signed SSL to protect data between client and server, as I also make the apps available outside the office without VPN needed, as long as they login with their secure AD credentials.
And... audit everything into a secondary database, every action performed by a user since they login until they logout, every view, update or creating data witch .NET makes it simple if you create your Logging method to simple log messages and Stack messages on errors.
This will greatly benefit your employer and you when something goes wrong.
I would say to go with web application. Advantage using web application is, if they want to expand bussiness .. same can you do with you WebApp. But choose .Net over VB, going with latest techonology will help you resolve current challanges.
I have a web role project in ASP.NET made for Azure deployment and need to have authentication.
I have to choose between Office 365 and On-Premise Active Directory.
Looks like both needs to be integrated to Azure Active Directory using Access Control Service.
What are the pros and cons of both?
Also if there are any other possibilities.
As astaykov mentions in his comment on your question you are not restricted to involving Access Control Services in this scenario. Not sure why he didn't submit that comment as an answer.
If you truly must go against your Office 365 or On Premise AD then what you are really saying asking is what is the difference between the two. I'll list some thoughts, but first if you want to implement these then here are some links:
Offerings from MS on Identity: http://msdn.microsoft.com/en-us/security/aa570351.aspx
Using ADFS V2 in your Azure Deployment:
http://channel9.msdn.com/shows/Identity/WIF-Workshop-9-WIF-and-Windows-Azure/ This is a little older material and I couldn't find much on using WIF to connect directo ADFS V2 that was more current. You do NOT have to invovle ACS in this at all. Sadly, this was misunderstood a lot when ACS was released.
Using Office 365/Windows Azure AD: http://msdn.microsoft.com/library/windowsazure/dn151790.aspx
Note: I have connected Web sites running in Azure to ADFSV2 directly, but I've not had a chance to work with the WAAD/Office 365 stuff yet.
If you choose to go with exposing your AD on premise then you would likely do this by exposing it using ADFS V2. This is what opens up the endpoint for the code running WIndows Identify Foundation (WIF) objects to reach out and deal with authentication. The upshot of this is that you don't have to worry about Office 365 logins or a WAAD separately and might be an interesting choice if you don't have those services for ANY OTHER reason but this one scenario. The down side is that you are exposing a proxy to your AD on an endpoint at your own location. If you lose connectivity to the internet then no one attempting to use the apps in the cloud would be able to authenticate. This is also the option I might look at if the users of the app in the cloud will ONLY EVER access it while behind your firewall (such as being at an office or even over VPN). This is because you can set it up so that your app uses a ADFS endpoint that is NOT exposed to the internet, but if they are behind your firewall it would still work. This pretty much ensures that only people already behind your firewall can use your app.
If you choose to use Office 365/WAAD integration then the upside is that you can sync with your onpremise AD to give single sign on to resources on your network as well as to the apps in the cloud. You also make access to your cloud apps more resilient because they have no need to depend on your exposed ADFS V2 endpoint. If you use Office 365/WAAD for any other reason (such as your employess use Office 365 for email, collaboration, etc.) then this is the option I would look at first.
You should look at ACS if you want to integrate with other identify providers such as Google, Facebook or even other companies. Technically you wouldn't have to use ACS at that time either, but it will certainly save you a ton of work to use ACS and not write the integration code on your own for each provider.
Quoted from http://blogs.msdn.com:
User Instances (also known as RANU) available with SQL Server Express Edition, are NOT RECOMMENDED for hosting environments.
I have a server running Server 2008 R2 Web Edition with IIS 7.5 and Sql Server 2008 R2 Express installed.
I have only 3 friends as my hosting clients. Each has a restricted Local User Account on the server.
What is the drawback of using user instance in production environment?
Edit
Rather than considering the limitation in memory usage and database size that I know, let us consider the user instance only, why isn't it recommended?
I think that the answer to your question comes with the definition of the RANU
What is RANU
and also read the http://msdn.microsoft.com/en-us/library/bb264564(SQL.90).aspx
The RANU starts a seperate instance Process of SQL Express for every user, so in a share enviroment with let say 30 sites that needs access to SQL, then SQL run 30 instances at the same time, that is takes as you understand a lot of recource/memory etc. Also as say in the article the first time SQL Express run for every user is make copies of all system database to create this user instance.
In a single user machine to run one process is normal, but if SQL Express starts to run many instances then you take a lot of resource, memory, and this is not easy to administrate, update etc.
In the article on the link there are more detail informations about this.
I have ASP.NET web application which stores information on the session while user goes through pages. Will I have any problems if I deploy such application to Windows Azure?
As Nariman stated, you can't have server affinity - the load balancing is beyond your control. You can use either table storage or SQL Azure for session state. I don't really see much value in storing session state in blobs.
See this post on the SQL Azure blog, from August 2010, to see how to implement session storage in SQL Azure. This will allow you to manage session state across instances as you scale up.
EDIT 6/16/2014 - The Redis cache supports this. See Azure Redis Cache (Preview) ASP.NET Session State Provider
EDIT 5/23/2012 - Wow, lots has changed since I posted this. SQL Azure is fully supported as a session state provider (via Universal Providers, shipping since v1.4), as well as Windows Azure Cache. More details are provided in this StackOverflow answer.
You won't notice a difference on a single-instance deployment that uses InProc but you do need to rely on out of process Blob & Table storage if you plan on running multiple web roles. (There's no way to keep a user pegged to the same instance in Azure load-balancing, AFAIK.)
With the October 2012 release of the Azure SDK they provided a special session provider that can use the "Co-Located Role Caching" as a special back end for session. It allows you to use the role-level caches rather than having to choose from table storage or SQL Azure only. There are instructions on how to configure that here:
http://dotnetthread.com/articles/27-Setting-up-Windows-Azure-Caching-for-Session-State-Management.aspx