On Windows, by default PostgreSQL installation starts the service as Network Service and on Postgres data folder Network Service has permission. I landed in the situation wherein the installation folder was not having permission for Network Service and that made my application down. On manually starting service it says "Access denied". I found a way if I start the service using SYSTEM account it works fine.
But is this best way(simple & secure), I am just concerned if that is going to degrade the security of Postgres. Let me know.
Related
I'm having an issue getting Traefik to proxy applications that are secured using Integrated Windows Authentication (IWA). When the content being served is simply an IIS virtual directory secured with IWA there is no problem. However, when it is a .NET Core application or MVC application or even just a simple Default.aspx page and IWA is enabled I continually get prompted for my credentials (never being accepted). See below for my configuration:
Traefik Configuration:
# ns-ws
[frontends.ns_ws]
passHostHeader=true
entrypoints=["http","https"]
backend = "ns_ws"
[frontends.ns_ws.routes.match_all]
rule = "Host:ns-ws.example.com"
[backends.ns_ws]
# ns-ws
[backends.ns_ws.loadbalancer.stickiness]
[backends.ns_ws.servers.server1]
url = "http://x.x.x.x:80"
I've played with removing pass host headers and stickiness, but no luck.
Seems like the original request makes it through because I do not get an unauthenticated error message from IIS for the page, but most subsequent requests to the server will return a 401 (seems sporadic).
Example Image:
I've tried changing the "authPersistNonNTLM" option in IIS, as described here: https://boyan.io/kerberos-load-balancers/ (with no luck)
I realize this is a very stale issue but in case this helps others.
I can confirm that Windows Integrated authentication works successfully with Traefik 2.x using a TCP as opposed to HTTP router with successful logins proven on Windows/Mac using Safari/Chrome/IE.
Note that when testing it is important to ensure you have cleared cookie caches or you can get unpredictable results due to prior login attempts on non-working configurations you may have attempted. Indeed I experienced something similar to your described behavior with repeated unexplained login prompts until I reset my browser.
In our configuration we have a mixed-OS docker Swarm (Linux/Windows) with Traefik operating on Linux and sending requests straight to back-end Windows-containers running on Windows swarm nodes.
If you have configured your Windows app and containers correctly I can confirm that from:
A domain-joined machine you will get straight through login to Windows back-end containers using the domain-joined machine's Kerberos credentials
A non-domain-joined machine connection will downgrade to Windows NTLM authentication and prompt for Windows authentication credentials.
From a Traefik configuration perspective our docker containers have labels like this:
- "traefik.tcp.routers.dotnet-tcpexample.entrypoints=websecure"
- "traefik.tcp.routers.dotnet-tcpexample.tls=true"
- "traefik.tcp.routers.dotnet-tcpexample.tls.options=default"
- "traefik.tcp.routers.dotnet-tcpexample.rule=HostSNI(`windows.foo.bar`)"
- "traefik.tcp.routers.dotnet-tcpexample.tls.passthrough=true"
- "traefik.tcp.routers.dotnet-tcpexample.service=dotnet-tcpexample"
- "traefik.tcp.services.dotnet-tcpexample.loadbalancer.server.port=443"
Note that configuring containers for Windows integrated authentication in itself is non-trivial but documented here.
In the beginning of the year, lots of MongoDB databases were hacked. This also included my database. Yesterday I noticed my brand new database with authorization enabled was hacked as well. The username and password is very secure (16+ characters password with random characters and symbols).
I've now decided to fully secure it, but I honestly don't know where to proceed. I already have:
security:
authorization: enabled
and that should be enough (after sudo service mongod restart). I only have 1 database and no admin user, but anonymous access from a remote connection is still allowed. I keep reading many places, that I should run mongod like mongod --auth, but that it's the same as enabling authorization as I've done above.
At this point I'm struggling to disable anonymous authentication on the server. What did I miss? Why can I authenticate without an account?
To enable security you'll want to follow the Security Checklist on the MongoDB Website.
Here you are provided with role based authorization and authentication instructions. It's also advised you disable listening to all ethernet interfaces and bind your MongoDB ports to the interfaces you'd like exposed.
For a guide to network hardening, you will want to review these instructions, but the most important aspect is to avoid unwanted network exposure. Consider using a firewall or security groups (if in cloud).
This article shows to how to secure the service fabric cluster in the Azure:
https://azure.microsoft.com/en-us/documentation/articles/service-fabric-visualstudio-configure-secure-connections/
But it makes no references as to how to configure developer's machine for the same. I tried to apply the same principles in the above link to see if I can make it work. It always fails to deploy services locally but works like a charm when I publish them to azure's service fabric cluster. If I remove the secure bindings, I can deploy services to local cluster successfully. But this becomes tedious whenever I want to publish the services to the azure's secure cluster.
Does any one have an idea as to how to go about creating a secure service fabric cluster on developer's machine?
I am using Service Fabric version 5.5.216.0 and it seems to be working. Run powershell command:
PS C:\Program Files\Microsoft SDKs\Service Fabric\ClusterSetup> .\DevClusterSetup.ps1 -PathToClusterDataRoot "C:\SfDevCluster\Data" -PathToClusterLogRoot "C:\SfDevCluster\Log" -AsSecureCluster
Then, open IE to browse "https://localhost:19080/Explorer/". You will see a popup asking you to choose which client certificate to connect. Use the one with name 'ServiceFabricDevClusterCert'. Chrome didn't work for me as it failed directly with no useful warning. Maybe somewhere in chrome I should enable popup window?
I'm just confused on how CloudFoundry exactly works.
So if I create a service, will it be hosted on their cloud and I can expect it to run indefinitely?
Yes, CloudFoundry will host your service and it will run as long as they are up, but to access it you must bind the service to an app.
The concept of service in Cloud Foundry is quite open, it can refer to an app running in CF or outside, e.g. somewhere on the local network or on AWS or anywhere else.
I recently wrote a blog entry about how you can turn an existing app into a CF service, you might find it useful.
HI All,
I have a .NET application which connects to a Web Service. Application pool for the Web service works under Network Services account. Everything was working fine till yesterday and somehow it started giving error today. When I changed the application pool account from Network Services to an Admin level account, everything started working fine.
As far as I know, Network Services account has top level privilage on the local system.
My question is, can Network Services account lose its permissions? If yes, how to give those permissions back again?
Cheers.
The Network service account has no top level privilege on the local system. True is, the Network Service account has minimum privileges like a user in the users group has.
It is most likely someone has changed the privileges for some files and/or folders on your system, so that the network sertvice account is not permitted anymore.
http://msdn.microsoft.com/en-us/library/ms684272%28VS.85%29.aspx