HI All,
I have a .NET application which connects to a Web Service. Application pool for the Web service works under Network Services account. Everything was working fine till yesterday and somehow it started giving error today. When I changed the application pool account from Network Services to an Admin level account, everything started working fine.
As far as I know, Network Services account has top level privilage on the local system.
My question is, can Network Services account lose its permissions? If yes, how to give those permissions back again?
Cheers.
The Network service account has no top level privilege on the local system. True is, the Network Service account has minimum privileges like a user in the users group has.
It is most likely someone has changed the privileges for some files and/or folders on your system, so that the network sertvice account is not permitted anymore.
http://msdn.microsoft.com/en-us/library/ms684272%28VS.85%29.aspx
Related
I am new to Cloud Foundry.
Is there any way that only specific users can view and update an app deployed in Cloud Foundry?
1.I deployed an app in Cloud Foundry using “cf push”command.
2.After entering “cf push “command I’ve got an message below.
Using manifest file /home/stevemar/node-hello-world/manifest.yml
enter Creating app node-hello-world-example...
name: node-hello-world-example
requested state: started
routes: {route-information}
last uploaded: Mon 14 Sep 13:46:54 UTC 2020
stack: cflinuxfs3
buildpacks: sdk-for-nodejs
type: web
instances: 1/1
memory usage: 256M
3.Using the {route-information} above,I can see the app deployed via browser entering below URL.
https://{route-information}
By this way ,anyone can see app from browser, but I don’t want that to be seen by everyone and limit access to specific user.
I heard that this global IP will be allocated to {route-information} by default.
Is there any way to limit access to only between specific users?
(For example,is there any function like “private registry” at Kubernetes in Cloud Foundry which is not open to public)
Since I am using Cloud Foundry in IBM Cloud it would be better if there is solution using IBM Cloud.
I’ve already granted cloud foundry role to the other user.
Thank you.
The CloudFoundry platform itself does not provide any access controls for applications. If you assign a public route to your application, where the DNS is publicly resolvable and the foundation is on the public Internet, like IBM Bluemix, then anyone can access your app.
There's a number of things you can do to limit access, but they do require some work on your part.
Use a private DNS. You can add any domain you want to Cloud Foundry, even ones that don't resolve. That means you could add my-cool-domain.local which does not resolve anywhere. You could then add a record to /etc/hosts for this domain or perhaps run DNS on your local network to resolve this DNS domain and direct traffic to the CloudFoundry.
With this setup, most people cannot access your application because the DNS domain for the route to your application does not resolve anywhere. It's important to understand that this isn't really security, but obscurity. It would stop most traffic from making it to your app, but if someone knew the domain, they could add their own /etc/hosts header or send fake Host headers to access your application.
This type of setup can work well if you have light security requirements like you just want to hide something while you work on it, or it can work well paired with other options below.
You can set up access controls in your application. Many application servers & frameworks can do things like restrict access by IP address or require user access (Basic auth is easy and it is OK, if you're only allowing HTTPS traffic to your app which you should always do anyway).
You can use OAuth2 to secure apps too. Again, many app servers & frameworks have support for this and make it relatively simple to secure your apps. If you don't have a corporate OAuth2 solution, there are public providers you can use. Exactly how you do OAuth2 in your app is beyond the scope of this question, but there's plenty of material out there on how to do this. Google information for your application language/framework of choice.
You could set up an access Gateway. This would be an application that's job is to proxy traffic to other applications on the foundation. The Gateway could be something like Nginx, Apache HTTPD, or Spring Cloud Gateway. The idea is that the gateway would be publicly accessible, and would almost certainly apply access controls/restrictions (see #2, many of these proxies have access control options that only take a few lines of config). Your actual applications would not be deployed publicly though. When you deploy your actual applications, they would only be on the internal Cloud Foundry domain.
CloudFoundry has local domains, often apps.internal (run cf domains to see if that shows up), which you can use to easily route traffic across the internal container-to-container network. Using this domain and the C2C network, you can have apps deployed to CF that are not accessible to the public Internet, except through your Gateway.
Again, how you configure this exactly is outside the scope of this question, but check out the docs I linked to for info on using the C2C network & internal routes. Then check out your proxy server of choice's documentation.
On Windows, by default PostgreSQL installation starts the service as Network Service and on Postgres data folder Network Service has permission. I landed in the situation wherein the installation folder was not having permission for Network Service and that made my application down. On manually starting service it says "Access denied". I found a way if I start the service using SYSTEM account it works fine.
But is this best way(simple & secure), I am just concerned if that is going to degrade the security of Postgres. Let me know.
My goal is to create a HTTPS REST service that (in concept) allows a machine account to authenticate using the less- than documented machine$ account.
I have a REST endpoint for an AD connected intranet application. Right now IIS simply echoes the thread CurrentPrincipal when I navigate using Internet Explorer.
Now I'm using the HTTPClient , using default authentication, running a my username, and that also works.
My new goal is to send the AD Connected machineAccount (that ends in the dollar sign $) so that IIS responds with the kerberos name Domain\TestServer$
I attempted creating a Windows Desktop service, running as NetworkService or LocalSystem, and I'm not clear if HttpClientHandler.UseDefaultCredentials is sufficient for running in this (unusual) context or if a different approach is needed to authenticate using the machine account.
Is a PInvoke needed? Is there anything in logonuser32 that needs to be done?
Most of the document I found about GCP, the REST API needs a user interaction for authentication. Is there a possible way to access the GCP resource without an interaction from user.?
eg: I would like to implement a cron job in my local workstation to launch a GCP machine.
Yes, it's possible, this is that service accounts are for:
A service account is a Google account that represents an
application, as opposed to representing an end user.
Important: For almost all cases, whether you are developing locally or in a production application, you should use service
accounts, rather than user accounts or API keys. You can use a service
account by providing its private key to your application, or by using
the built-in service accounts available when running on Google Cloud
Functions, Google App Engine, Google Compute Engine, or Google
Kubernetes Engine.
All GCP APIs support service accounts. For most server applications
that need to communicate with GCP APIs, we recommend using service
accounts, as they are the most widely-supported and flexible way to
authenticate.
For more information, see getting started with authentication.
You'd have to create a service account representing your application (executed as the cron job) and in your application you'd authenticate the REST API calls using that service account's credentials.
I'm currently using 1&1 and they have a system for managing emails. I need to make sure I don't lose access to my business site's email addresses. What can I do?
When you have application running in Windows Azure and you want to access your application with real domain name i.e. yoururl.com you actually don't transfer your domain. Your domain stick with the same domain registrar whoever it is (in this case 1&1) however you just use DNS or CNAME setup in Windows Azure application so your domain name point to actual application running on Windows Azure.
As far as I know if you are just setting your domain name via DNS/CNAME, pointing to Windows Azure application, there is no changed to your domain and it will intact with your domain registrar and will not impact anything else.
At last, I do have a question what are you doing with Windows Azure as you don't have better understanding about how it is impacting your when you are making decision, so you may need little more info/knowledge about what and why you are using Windows Azure and how it is going to impact your current setup.
Azure has no email system equivalent to that bundled with web hosting by many entry level providers (including, presumably, 1&1). You are either going to need to continue hosting your email with your existing host, or transfer your email domain to someone who offers pure email hosting. Another option might be to run your own mail server on a Windows Azure VM, but according to this post, this isn't yet possible due to networking restrictions: http://social.msdn.microsoft.com/Forums/en/WAVirtualMachinesforWindows/thread/18da4da3-ebf3-48c7-9462-12fa4317175b