After doing some research around this topic, I should be attempting this task soon. However, I have two questions going around my head - could do with an experienced professional answering them.
I am using MariaDB 10.3 and the latest version of Centos 7.
Q1. From the MySQL console, when granting user permission rights, you would grant these for the Private IP and not the Public IP?
Q2. Currently, root permissions are disabled for remote sign-in. Is it a good practise to create a slave user instead and don’t touch root user permissions?
Thank you all!
Related
My Rundeck detail Rundeck version: 4.10.0
install type: DEB
OS Name/version: Debian 11
DB Type/version: h2
A LDAP user without a Role membership can properly login but can not see any Projects - so far fine.
How can i block such a user to Login at all?
We have one "userBaseDn" Group (userBaseDn="cn=Users,ou=PROD,dc=company,dc=com") in which all users are stored. But of course, only users in following roleBaseDn (roleBaseDn="cn=Rundeck_Admins,cn=Applications,ou=PROD,dc=company,dc=com") Group should have access to Rundeck Web UI.
I expect, only users in Group "Rundeck_Admins" can Login to Rundeck at all
Currently, you can only restrict that using an ACL policy (the user can log in but cannot view/edit/run any project/job, as you say), please take a look at this.
Alternatively, you can create a specific branch in your LDAP server only for Rundeck users.
Currently, means there will be a change on this behavior?
As far a i understand LDAP right, for a specific LADP branch in which a place users, i have to manage users twice. 1st, in user directory and 2nd in the specific Rundeck Group. For me quite unhandy...
I am have AWS EC2 Server with my App Backend and Database there.
My new developer needs to upload few things in the Database and update Backend code but I don't want to give him the PEM.
He needs to SSH
Whats the best possible way to do it? I was thinking of creating an IAM User for him - but I only want him to give SSH Access, so permission would that be? I could only find a general full permission EC2 which would also give him permission to edit the Security Group and things like that.
I do trust him well, but I just don't want to give him full access in general.
What can I do?
Why not allow your developer to connect using session manager.
If you use this he can access the environment either in his browser or via the AWS CLI.
He should be able to mimic a regular session but without having the key, then when he's done you remove the permissions of the server. You can also enable logging to check the history of his sessions actions.
If you want to update code you should at some point take a look at using code deploy to have the code automatically rolled out without even accessing the server.
My company is currently migrating our on prem Exchange users to the hosted Exchange Online platform. Migrating users is easy but we have hit a snag when on boarding new users. Our environment has multiple RDS servers. In the past we would setup a users mailbox on one server and when they would log in to another server the settings would follow them. That does not seem to be the case with Exchange Online. We are having to logon to each RDS server and manually set them up each time they logon to a new one(only for new users). If the user had an old on prem Exchange account that we migrated to the cloud then those settings get over-written and their Exchange Online account comes over no problem. Just trying to figure out a way that will setup the new user EOL accounts when they logon to the new servers. We are using Roaming profiles too if that helps. Maybe some sort of powershell script that I can modify with the new users names when I am setting them up?
Sounds like the AutoDiscovery isn´t working correctly. Please check with the Microsoft Remote Connection analyzer if you see any errors (e.g. as explained in KB 2404385). Here is by the way a good starting point how that should work.
I am using a Perforce server but the only superuser account is lost due to the fact that the Perforce support guy (who use the superuser account) left the company and did not write down the superuser account details. My team is depending on the perforce server. What can I do now to regain administration control of it ? I do have administrative right of the Windows server that is hosting the perforce server.
A quick search on the internet reveals that Perforce gets asked about that a lot, and they did something about it: here is a link to their knowledge base article.
Here is the description of te problem from the article:
The super user is unable to access the Perforce database due to the following conditions:
When the only super user account listed in the protections table is accidentally deleted, but still remains in the protections table
The owner of the super user account forgets the super user account password
The idea behind the fix is to stop the server, move db.protect out of the way, bounce the server, change the password using any other account, then move db.protect back, and bounce the server again.
On IBM DB2 v.9 windows, when someone connect to database by Server\Administrator user
DB2 database will automatically accept and grant all the permissions to this user?
But, in some case environment Administrator of server does not need to see every data in the database. So how to prevent Administrator use connect to database?
On 9.5 and older this would not be possible because the account under which your instance runs is SYSADM. Also Administrator can reset at least local account passwords and gain access to them, making changing the instance owner account useless.
However on 9.7 and onwards the instance owner will not have access to the data anymore. One option is to upgrade to 9.7. Furthermore you can set up an AD account for the connections your applications use. Local Administrator is not necessarily able to change into those credentials.
Still, the Administrator ultimately has access to the (usually unencrypted) database files. You can mostly improve the administrative aspect of security.
Umm... For many times I try to revoke with this command but when I connect to database by Administrator account DB2 will automatic grant permission to Administrator again.
I will try again for make sure.
By default, DB2 databases are created with CONNECT authority granted to public. If you want to restrict some users from connecting, you need to do
GRANT CONNECT ON DATABASE TO <user1>, <user2>, ...
Then revoke the CONNECT authority from PUBLIC
REVOKE CONNECT ON DATABASE FROM PUBLIC
I don't think it's possible under normal circumstances simply because Administrator is in the sysadm group.
Options I can think of (but haven't tried) include:
Setting the sysadm group to something else ("db2 update dbm cfg using sysadm_group blah"). Check the docs for caveats and gotchas when doing this, as I'm sure there are some.
Stop using OS authentication. Use a different security plugin (8.2 and higher only). This would move the authentication, and thus groups, to a new location (say an LDAP server). Then you just don't add Administrator to the new location, and especially don't add Administrator to the sysadm group again.
On Windows, the database manager configuration parameter SYSADM_GROUP controls who has SYSADMauthority at the instance level. When SYSADM_GROUP is blank (as is the default on Windows), then DB2 defaults to using the Administrators group on the local machine.
To fix this, you can create a new group in Windows and then modify the value of SYSADM_GROUP to use this new group. Make sure that the ID that the DB2 Service runs under belongs to this new group. After making this change, members of the Administrators group will no longer have SYSADM authority.
As Kevin Beck states, you may also want to look at restricting CONNECT authority on databases, too, because by default the CONNECT privilege is granted to PUBLIC.