I have an ASP.Net website running on IIS7. The developers have created a CMS in the \admin folder, which allows the website admin to create/edit/delete pages.
They have said:
"The read/write permission should be given to the user that requires login access to the admin panel, not the anonymous user that has general public access to the website. The reason for the write permission is to allow the administrator to be able to upload images and files through the CMS, and make various changes to the navigation, style sheet, etc".
Also, they have said:
"Password protect the /admin folder and assign full rights to your admin user as it needs to update data (site files) accordingly as mentioned in the Folder level section above. For certain modules to work, such as the file manager, you would need to use Basic Authentication at the Directory Security level. The FCKeditor folder also should be protected so it has the correct permissions. "
Is this approach safe? I have tried assigning full rights to the Plesk protected folder user (the \admin folder is protected through Plesk), but Plesk keeps reverting back to its default settings. I am told this is a security measure, which makes sense.
What would an alternate way of accomplishing this be without rewriting any code?
If the application needs the ability to upload then it will always need read/write permissions to the directories it is going to upload to - no amount of rewriting will change this, it's part of the basic functionality. The same applies to editing stylesheets etc.
Reverting changes you make sounds like a very bad security measure - warning you would be fine, but generally you make these changes for a reason and want them to stay.
Hay try this...
Right-click the file and select Properties.
Click on the Security tab.
Click Advanced in the lower right.
In the Advanced Security Settings window that pops up, click on the Owner tab.
Click Edit.
Click Other users or groups.
Click Advanced in the lower left corner.
Click Find Now.
Scroll through the results and double-click on your current user account.
Click OK to all of the remaining windows except the first Properties window.
Select your user account from the list up top and click Edit.
Select your user account from the list up top again and then in the pane below, check Full control under Allow, or as much control as you need.
You’ll get a security warning, click Yes.
On some files that are essential to Windows, you’ll get a “Unable to save permission changes… access is denied” warning and there’s nothing that you can do about it to the best of my knowledge.
Reconsider why you’re using Windows.
Related
I am running my own Identity Provider with ADFS, and do not want the Active Directory integration with it. When a user logs into the page, I don't want the user to see the "sign in with one of these accounts" page, and instead would like it to just default to the other provider. I noticed I cannot disable the Active Directory provider in the trusted providers page.
Some of the resources I have found, talk about adjusting the actual login page js, or code file to get it to trick the page into selecting the one I want to default. I REALLY do not want to do this, and it seems like this should be a simple option somewhere.
The only way to do this is via customising the onload.js.
The whole point of ADFS is to add a federation capability to AD. That's why you cannot easily remove it.
So I did eventually figure this out. The proper way to remove Active Directory from the choice list does NOT involve adjusting js files. Going into the system and running:
Set-ADFSProperty -EnableLocalAuthenticationTypes $false
This then used the only other identity provider automatically.
I needed to put both of these
Set-AdfsProperties -IntranetUseLocalClaimsProvider $false
Set-AdfsProperties -EnableLocalAuthenticationTypes $false
There are a number of similar-sounding questions to this, but none of them quite address this specific question.
https://social.technet.microsoft.com/Forums/systemcenter/en-US/dfc465bc-7bbd-483e-b98b-2ba56fa98313/the-applicationspecific-permission-settings-do-not-grant-local-launch-permission-for-the-com-server?forum=configmgrgeneral
https://social.technet.microsoft.com/Forums/windowsserver/en-US/353d381d-0911-41c3-98fb-2475b65c32f6/dcom-was-unable-to-communicate-with-the-computer-xxxx-using-any-of-the-configured-protocols?forum=winservergen
https://social.technet.microsoft.com/Forums/windows/en-US/4aa643b6-f90d-4672-aba4-6c0a290e22d4/distributedcom-permissions?forum=win10itprosecurity
https://social.technet.microsoft.com/wiki/contents/articles/17914.fim-troubleshooting-event-id-10016-the-application-specific-permission-settings-do-not-grant-local-activation-permission-for-the-com-server-application.aspx
DCOM/IIS Issues
https://www.automation.com/pdf_articles/Troubleshooting_OPC_and_DCOM.pdf
I'm sure there are many other pages that are similar to this, but I'll stop here.
The scenario is this:
Windows 10...
...hosting an application (or cluster of applications) that takes near-real-time data from real sensors parses the numbers, writes them to a database, and presents them onto a browser .aspx page via IIS and DCOM
(this is an archaic mysterious application/set of applications for which there is limited or no source code or documentation).
Occasionally, after working through all the installation and configuration steps, you are presented with a localhost/something.aspx page and whilst you can see the variables by hovering over the fields, the values are not populated.
Looking in Windows event viewer, you may see errors like this:
Event ID 10016 - The application-specific permission settings do not grant Local Activation permission for the COM Server application
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID{...long hex number found in registry ...}
i.e.:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID{8D8B8E30-C451-421B-8553-D2976AFA648C}
There are two more keys, but I don't have them on this PC that I'm typing on; one is an installed component for handling DCOM, and another one is to do with the Interactive User as well.
The installed one, is usually the one that reports having no permissions, typically for the "NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20)" user (formed into a group of admin and user accounts)
[https://www.experts-exchange.com/questions/24205909/NT-AUTHORITY-NETWORK-SERVICE-SID-S-1-5-20-on-Windows-Server-2003.html... can't access this page at the moment]; then when you go into the security and add specific permissions for it, you're left with it reporting the above Interactive User keys, the 8d8... one and a 726... one, which you can't edit permissions for.
What bugs me about this is that it's apparently a complete magical mystery, which is unacceptable in a computer system! :D
The current solution is to just no bother fiddling, and just format the machine, redo windows, work through all the application installation, IIS, and DCOM steps, and .aspx config again from scratch, and hope for the best - i.e.: that the magical special order that you do things in just makes it work, "because it does". I think this is a bit ridiculous, and time-consuming, more to the point, it bugs me intensely that there's not really a clear notion of what the actual problem is and what the solution might be.
There must be something specific happening or not happening that is causing the DCOM to not talk to the .aspx webpage; surely something that can be tweaked after the event without zapping the whole systems and spending ages redoing it all. It's as if something is "unplugged" or has a different identity/name/number from what is being looked at or filtered by what the .aspx page ingests, maybe something in the code? something in the IIS selections? something that needs resetting? Not sure...
I'm not asking for a silver bullet, but if anyone is willing to help work through this, that would be appreciated, it's just annoying and frustrating, and I'd like to get to the bottom of it, and hopefully create a definitive thread that others might benefit from.
Before going into these lengthy procedures and editing registry. I would you look at TCP/IPv6 in the Local Area Connection Settings. If it is enabled then disable it and flush the dns or restart your server. Hope it helps the future seekers.
Stay blessed everyone..
This appears to be the exact same issue 4 years ago.
https://answers.microsoft.com/en-us/windows/forum/windows8_1-winapps/weather-application/e4630db3-50c2-4cc5-9813-f089494a1145
Hi
Not sure if this will fix your issue but I was able to fix mine.
Open Regedit.
Go to HKEY_Classes_Root\CLSID*CLSID*.
Note: CLSID stand for the ID that appears in your event viewer error. In your case, it's {C2F03A33-21F5-47FA-B4BB-156362A2F239}.
Right click on it then select permission.
Click Advance and change the owner to administrator. Also click the box that will appear below the owner line.
Apply full control.
Close the tab then go to HKEY_LocalMachine\Software\Classes\AppID*APPID*.
Note: AppID is the ID that appears in your event viewer. In your case it's {316CDED5-E4AE-4B15-9113-7055D84DCC97}.
Right click on it then select permission.
Click Advance and change the owner to administrators.
Click the box that will appear below the owner line.
Click Apply and grant full control to Administrators.
Close all tabs and go to Administrative tool.
Open component services.
Click Computer, click my computer, then click DCOM.
Look for the corresponding service that appears on the error viewer.
Note: For this step, look for the one that appeared at the right panel of the RegEdit. For example, the AppID Registry (316CDED5-E4AE-4B15-9113-7055D84DCC97) contains the "Immersive Shell" Data with a (Default) as a name. Now look for "Immersive Shell".
Right click on it then click properties.
Click security tab then click Add User. Add SYSTEM then apply.
Tick the Activate local box.
Restart.
Hope that helps.
EDIT: I edited the step number 14 for it to be clearer. I am glad that I was able to help out.
Want to make alfresco site read only in alfresco community 5.0 so that no one can make any changes or edit that during migration.
I already tried changing the user/group permissions but that method doesn't work properly. Is there any other way to make the sites read only?
You need to make all sites in read only mode and so entire Repository should be in read-only mode for migration!
Try this property in your alfresco-global.prop file
server.allowWrite=false
Please check this for reference
The best way to make a site read only would probably be to modify all members of that site to have the consumer role (this would prevent them for creating new content or editing any existing content).
Unfortunately there is no bulk capability built into the UI to do this, however it should be a relatively straightforward exercise to create an admin only custom WebScript to achieve this. It would necessary for the Admin to become the site manager of each site before attempting to change the role of each site member, but there is an API for doing this.
Alternatively (if you have only a few sites) then you could do this manually through the UI using the Site Management Admin Console page. Again, the Admin would need to become the Site Manager for each Site and then visit the site and change the role of every member.
As suggested by #DaveDraper in a former answer, you could setup site memberships to the consumer role. However, this won't take into account any special permission given on a particular node (folder/document) in that site either with or without inheritance of permission.
So, if you intend to block any writes on the entire alfresco repo/site you could simply setup an extra security interceptor on your NodeService to block any write access using the NodeService.
PS : You could get some inspiration from the "NodeService_security" bean and implementation !
I can think of a turn-around or two, but those would be really sloppy so I won't be including them in this response
Problem: Within the Content Editor, our web editors with the privileges to edit content as well as publish that content are often forgetting to go to Edit>Approve and Publish, instead they are just saving and trying to press the publish button which publishes to master, but not the live production server. I understand that approve and publish puts the page into the final workflow step, and (atleast on our servers) the publish button does not. I'm wondering if the Publish button can be changed to function as 'Approve and Publish' and whether that will cause any issues for people who have editor privileges but not publishing privileges.
Along those same lines, our admins can save and publish with the publish button without approving by using Edit>Approve and Publish, but they cannot do this with new pages. New pages have to be approved and published once and from that point on they can simply save and then publish with publish button and the content goes live. Is there any way to bypass that initial 'Approve and Publish' step for admins?
I have some experience working in the core as well as editing the workflow, but I apologize if this is a really simple problem, or if I'm missing the point of the way our workflow is setup. I also considered creating an Approve button and putting it next to edit, so that our editors were more likely to remember that step, but I couldn't find an approve command to associate with the new button. I would love some feedback from Sitecore veterans.
Changing the behavior of the publish button is not recommeded and will just end up confusing everyone. Also adding a new button will just lead to more confusion about which button your editors should be using.
Since your editors have to use workflow, they probably don't need access to the standard publish button. Simply removing them from the Sitecore Client Publishing role will make it so they can't see the publish button and therefore have to use the workflow command.
If workflow is turned on, a new version of an item will always be put into the first step of that workflow. You could change that behavior with a handler for the version:added event. If you are only concerned about new items, a processor for the uiAddFromTemplate pipeline could also be used. However, I don't recommend changing this behavior at all. For that matter, I don't recommend using full admin users for content editing at all since you will lose the versioning of your content items. Admin users should be used for administration, not content editing.
Let's say we have a web site with a CF app that was written in-house.
Assume that:
Server 2003 IIS6 or 2008 IIS7 will be used
ColdFusion 8 will be used
Directory browsing is denied
SSL is required to connect
The account login process is secure (yeah I know that is a whole other
ball of wax but that concept is discussed ad nauseum on the web).
Say I have a file at https://domain.com/folder1/folder2/ with a name like picture92352.ext imagine it as a jpg or pdf or whatever. The entire path between the domain name and the file varies widely in naming structure, depth, etc. Files are not all lumped together in one folder.
The app restricts links by user such that a user would have to have access to that file to find it in the first place but as it stands now if a person knew the full URL to that file they could retrieve it without logging in to the app. It's the classic security by obscurity situation. A random person isn't likely to find a file they shouldn't get to but once someone is given access they know how to access it from another PC where their actions might not be traced back to them.
How do I restrict access to these files before someone logs in and still make them accessible to outside users after they log in? Is there a way to do it with permissions only or is the only answer to have code dynamically moving files around at the time of the request or is there some obvious step I'm not even thinking of?
Let me clarify this slightly. No matter how the file is presented on a page a user can use the browser IE, Firefox, etc to examine the URL the file comes from. If the image is a link there is always copy shortcut in the right click menu for IE and the same functionality in FF is called copy link location. If the image is displayed inline as part of the page an IE user can right click and choose properties to see the URL, in FF the same functionality is present to see properties but there is an even quicker more convenient option labeled copy image location. Once a user knows the URL to a file if the location or file name doesn't change they can use that URL without authenticating in the CF app.
If I change the NTFS/share permissions so that IUSR can't see the content then my CF app and IIS can't push it. What strategy do I use to provide the file in the CF app that doesn't leave this hole open?
You could write a CFM page that serves up the images. Then you just make sure they are authenticated inside the CFM.
<!-- something like this -->
http://localhost/GetFile.cfm?file=foobar.jpg
In GetFile.cfm, you would do something like:
<!-- the filename part is what the browser will pre-popualate the file name in the download dialog as -->
<CFHEADER name="Content-disposition" value="attachment;filename=picture92352.ext">
<CFCONTENT type="text/plain" file="\\fileserver\folder1\folder2\picture92352.ext">
Take a look at the various MIME types.
If you wanted to do something similar but keep a more natural URL, I think you would need to leverage the Java servlet underpinnings of ColdFusion to create a handler for any URL matching a certain pattern.