How come one user in the local Administrators Group has no problem hitting http://localhost:8080/services/v1.0/Registration.asmx while other users in the local Administrators Group get 403 (access denied) errors (with nothing in the Event log)?
Have you checked the permissions of all three areas. You need permisssion on server, reporting service and sharepoint for this.
I would strongly recommend you download Team Foundation Server Administrator tool to do this as otherwise it can be a right pain.
rasx, yea, the interface isn't the best on that tool. It basically allows an easy way to set up permissions to the Team Foundation Server, Reporting Services, and Sharepoint.
Most of the security problems I've come across always resolve down to one of those three permissions messed up on a particular user. I'm pretty sure that's what you're experiencing. Without the Team Foundation Administrator Tool that dove mentioned, you can still just add permissions to each of those areas manually.
It sucks that TFS doesn't come with an easy way to manage all permissions everywhere, but there you have it.
dove, I’m not sure about how the Team Foundation Server Administrator tool would help here. I installed it on the TF server and got an empty interface that looks like it is expecting pre-exiting Team projects.
Related
I'm working with Symfony2.3.4 and PHP 5.6.3.
I'm going to deploy a project I just finished and I need to do it "by hand", it means copying the project source code manually onto the production server in a company because I can't use any tool for it or anything of the like.
I've never done this before and for what I've googled so far it's hell. But what worries me the most is the matter of protecting my code once it's in the server, i.e.: no one sniffing around, editing, copying, plagiarizing it, etc.
I don't know if I'm making any sense or if this is an obvious question, I really really have zero experience deploying web apps so be gentle.
Anyone who has administrative access to the server can read and copy your code, including of course the server administrators (i.e. the hosting provider staff).
Of course any hosting provider in the world can do that and AFAIK it's never been a problem, because they usually are professional and don't do it.
The only solution I can think of is to setup a VPS where you have the only SSH access, but of course that means you have to setup the whole web server yourself... and that's even more complicated than simply deploying your code.
To answer your question, and if you really (really!) want that, you can checkout this SO question: Is there a code obfuscator for PHP?
But you shouldn't do that! As said, don't be scared by hosting providers, or setup your own server. :)
I need to implement Role/Group based authentication in my ASP.Net web application using Active Directory Domain Services and LDAP. i want to use user’s windows logon identity credentials for authentication. I have no clue where to start.
If anybody have implemented the similar requirement, please reply with some pointers.
Also, please let me know, how i can test this in my organisation network and What should be the LDAP server credentials? Can i add our custom groups?
Please reply asap.
I'm just looking into this myself. In the past I've implemented Azman (authorization manager) on windows 2003 (it comes with windows 2003). This seems to work well; my app's been in production for 3 years with a fairly complex config and has held together ok.
Azman has been developed further with windows 2008, but I haven't implemented on this platform yet.
The thing that I liked about Azman was that it abstracts the authorization management away from the app code itself and can give very granular permissions. That said I'm still looking around for alternatives; the biz rule functionality always felt abit flaky for some reason and at least for my app became very important (biz rules let you set context around rights... so for example bob can edit some textbox, but only for specific records). Anyhow here's a few links that might help:
http://support.microsoft.com/kb/324470
http://msdn.microsoft.com/en-us/magazine/cc300469.aspx
I'm not sure if these articles answer all your questions.. or maybe you've found another solution? If after reading you have more questions just yell :)
I'd like to know which are the security risks of running an asp net application with an administrator account.
I might end up doing this and I'd like to be aware of the known security wholes I would have.
I'm connecting to a sql server using sql authentication so excessive privileges to execute queries is out of the list.
I am having trouble coming up with a scenario where this would actually make sense -- you can always delegate specific permissions to a named user to get them the specific admin-style rights they need.
As for the question at hand, direct risk isn't any greater than any other web application inasmuch as a web app is a big honking hole through your firewall. The indirect risk is very, very scary. You are trying to turn the clock back to 2000 when IIS5 was setup to run as local system making every single case of "IIS can be made to run arbitrary commands" into "anyone can own your box over port 80."
If you do have to do this, I'd consider putting firewalls behind the server too. That way, when it does get rooted, you've got some defenses. I'd also use unique accounts, etc.
You should rarely need to run IIS under an administrative account. It's usually a sign of poorly written code. For example, I have seen it done when an app needs to shell out a batch job or executable, and needs to run those files under admin context to work (ie. very poorly coded applications).
You don't want to run any services under admin context. Not your IIS service, and especially not your database service. Any exploit triggered on your system will take on admin privileges, leading to a complete box compromise. Notice that in newer versions of Windows, both client and server, there are much fewer services running as either admin or system. This is due to Microsoft's own learnings that running apps under excessive privileges is a very bad idea.
The risk is completely endless; a single mistake in your code, or an as-yet-undiscovered IIS/ASP.NET security vulnerability and you would be giving potential crackers complete, unfettered access to the server.
Compared to running it under the default account(s), where access would be pretty restricted.
There's really no reason to need to do this anymore, especially with the newer Windows servers, ASP.NET versions and IIS.
I'm trying to use the asp.net (3.5) built in user management framework but I'm not 100% sure how to do this on godaddy. Google didn't help much, anyone have experience with this?
You can roll your own or find one. You cannot run the Asp.net configuration tool directly against your GoDaddy account. (If you notice, it's just another asp.net website runing in another dev web server via Visual Studio).
You can use the System.Web.Security.Membership and Roles static classes in the Membership Provider to hook into it. This is very easy to do. Membership.GetUsers(), etc.
You can also use the stored procs to manually add/remove users and roles.
-Nathan
Go to your hosting control center
in menu Content on top, go to IIS Management,
there will be list of web folder,
on top of the list you can see asp.net runtime versions and (modify) link in brackets, click on it. There you'll see if you are using asp.net 3.5.
I have also had this problem. About a year ago. So I am curious to know what the solution might be, if there is one! I was told by Go Daddy, back then, that they had ASP.net admin stuff "locked down" pretty tight. I went back and forth with their help people, who had to actually escalate it - because the general help team didnt understand what I was asking. What I ultimately did was I canceled my hosting service (they did give me a refund for unused time!) and I went over to a different host. Hope this helps and I will be listening carefully to responses as I am curious to see if they changed OR if someone has a workaround.
To get the tables that the membership provider uses, look in %WINDIR\Microsoft.NET\Framework\v2.0.50727. That is where the SQL statements used by the wizard are located. Also, check out:
http://www.asp.net/Learn/Security/tutorial-04-vb.aspx
for a more thorough explaination of how memberships tables are set up. You can do all the same work that the admin tool does, just not in a GUI format.
I have a web app which queries a Lucene index and it works just fine in a W2K3 server in my network. Now I got my azure code so I wanted to test the service uploading the app. In order to do that I had to install Vista (I did it in a Virtual machine) cause the Azure SDK won't install on an XP box.
I created my Cloud Service, added the files from my app but when I run it (just F5) I get a SecurityException, when I call Lucene to query the index, saying:
The application attempted to perform
an operation not allowed by the
security policy. To grant this
application the required permission
please contact your system
administrator or change the
application's trust level in the
configuration file.
I've been googling around and the solutions I've found concern modifying the machine.config file which is something I won't be able to do "in the cloud".
Could anybody help on this?
Ok, in case somebody is facing the same issues, this is the correct answer which I got from the Azure forum:
This is because of the trust policy
for the Windows Azure CTP. The
enviroment variablies TEMP and TMP are
avaliable and set up appropiately.
However, System.IO.Path.GetTempPath
and System.IO.GetTempFile do not work
as they require unrestricted
environment permissions. I would
suggest you contact the Lucene
developers to see if they can modify
the code so it runs properly in medium
trust environments.
Thanks to Daniel C. Wang for the answer.
I also found a question regarding my same issue and how if was fixed.
Here the link: Lucene.Net fails at my host because it calls GetTempPath(). What’s the work around?
You can change trust in the web.config, unless that has been disallowed in the machine.config (which it often is in shared hosting). inside your put and see what happens.
If you are not allowed to do that, see if you can get your control GACd by talking to your provider. If that doesn't work, sorry to say but you are out of luck. Sometimes you can find workarounds that don't require full trust for a specific method, but if a third party dll requires it there is not much you can do
Haven't done this but isn't it possible to have a desktop version of the Live Operating Environment? This would seem a good start for troubleshooting.