is there a script to find the app permisisons? - azure-powershell

can you help to find the list of Azure applications where Application permission named Mail.* (it could be any permission Mail.Read/Mail.ReadWrite/Mail.Send/or any other)?
should use Powershell for this activity.
Note : Certain applications can have Delegated Mail.* permission (which we do not want).
Thanks

Related

IIS, User Permissions and Umbraco

I have installed Umbraco on my local machine but I have some questions regarding IIS and permissions if someone can help verify that I understand it all correctly. My environment is as follows
• Windows 7 Pro OS
• IIS 7.5 - I have set up a new site in IIS which has the identity Application Pool Identity for the app pool
• Umbraco v7.3.0 – The application files are located in C:\Users[myUsername]\Documents\Visual Studio 2013\Projects\InstallingUmbracoDemo\InstallingUmbracoDemo
Is the following process/understanding correct?
Add a new website in IIS and the application pool name is automatically updated to reflect my sites name.
By default this will use the identity ApplicationPoolIdentity which means that my new sites worker process (w3wp.exe) will run in an application pool that has the same name as my website in IIS
By default when I created my new site it will be added to a user group called IIS_IUSR
If I try to access my application files (that are in a folder that doesn’t not grant permission to the IIS_IUSR user group) it will mean IIS can’t access the resources until I grant the IIS_IUSR user group access
The IUSR user group is used for anonymous access and for anything anonymously requesting my website it will be added to this group
As Umbraco needs to access the internet to install the application I need to a grant permission to IUSR to allow it to do so
Partly because I don’t quite fully understand everything I’m quite concerned about the security of granting permission to IUSR on the root folder where the application files reside. Once Umbraco has installed can this user groups full permission be revoked? Does it require full permission?
I have found the following resource https://our.umbraco.org/wiki/reference/files-and-folders/permissions but if anyone else can provide an overview regarding permissions and the ISUR & IIS_ISUR work and more importantly whether I am understanding this process correctly.
Apologies if I am way of the mark – I’m just trying to learn and ensure i fully understand everything.
Many thanks
Paul
Umbraco will need permission to write files to certain folders on the server as the content/media cache, examine indexes, logs, media, etc are all disk file based.
Have you tried adding the specific AppPool user to the folders and granting permission to it?
Its usually:
IIS AppPool\MyAppPoolNameInIIS
I have had cases where that isn't allowed and I have to use IUSR, but generally this works and seems more specific and contained.

IIS 6.0 on Windows Server 2003 setup for Integrated Windows Authentication but no direct access for users to the shared folders

I am attempting to set up an IIS 6.0 application running on Windows Server 2003 to use impersonation in order to avoid having to give users direct read/write access to the shared folders where the DB and web pages are stored. Can anyone provide me with details of how this can be set up to work in conjunction with Windows Integrated Authentication?
So far, I can tell that the web.config file (not sure whether it's the correct one) has the two lines mentioned on this thread (Impersonation in IIS 7.0) to allow impersonation and use the Windows logon method. However, users are still prompted for a logon and then told they are not authorized to view web pages. They can view pages if we turn anonymous logon "on", but then their user credentials aren't passed on to the site and therefore they can't access most of it.
I'm fairly inexperienced, so I'm a bit lost here. Thank you very much in advance for the help!
Thanks to intervention from Microsoft (definitely worth the flat fee they charge per incident), we were able to identify the problem. Instead of using the network path to identify the website location on the "Home Directory" tab of the IIS properties, we were using the local drive path. That was all that needed to be changed.
Once we switched to the network path and added a dedicated service account to "Connect As...", impersonation started working right away. Users pass their logged on credentials via integrated authentication (no logon required) and the service account takes care of executing their actions on the database file.
Access to the shared folder is limited to a brief list of administrators, and data access on the web application is limited based on user names.
If anyone is stuck with this and needs help, let me know!

Failed to update database because the database is read only

This message appears every time I try to save the data to the DB.
Failed to update database because the database is read only
Note: This error comes only when the application is installed to C drive.
Front End: VB.NET
Back End:SQL Server
Is there any way to overcome this issue?
Or any way to restrict the user from installing the application on C drive?
I would check the file system privileges. I suppose you talk about an SQL server file database. You receive the message because the account trying to access your file database does not have the file system permissions to do so.
In order to confirm my suggestion, you allow everyone to access the specific directory with full permissions.
Then, you have to check what is the account trying to do the actual access. Probably it's a system account (user ASPNET or NETWORK SERVICE). You have to give the respective permissions to the specific account.
Then, restart IIS.
If you want to do this for a distributed stand-alone application. Then these permissions would have to change on each machine where the program would be installed. In order to avoid putting users in such a fuss, the setup program should do it. I am not an expert on setup programs, but even the simplest ones would give you the option to do it, after asking the system adminstrator's approval. I suppose you could build a custom action during the setup program which would change the specific folder's permissions, perhaps by using xcacls.exe.
Hope I helped!

Can Hudson be configured to prevent certain users from accessing certain projects?

I have various projects being built and tested periodically on a Hudson server, but I don't want every employee in the company to see published artifacts for every project.
Project-based matrix security seemed at first the key, but after many tests I find that granting overall read permissions is mandatory if you want users to be able to read anything in the hudson server.
So, in the end read permissions are binary: either you grant global read permission or you block everything, am I right?
Haven't it tested with the newest release, but I use the matrix setup. I gave Anonymous the overall read. This way they can see the login screen when they type {{http://servername:port/}} but does not give them access to the jobs. In the jobs themselves I configured the users that should actually see the job. Works like a charm.
UPDATE:
Meanwhile I found out that you can use authenticated instead of Anonymous. This enabled access to Hudson/Jenkins through the links in the Build failed messages. Now everyone gets the logon dialog and after signing in, they are right away at the job run of interest.
After trying to do something similar to you with Hudson's authorization settings, I came to the same conclusion you did.

Understanding IIS6 permissions, ACL, and identity--how can I restrict access?

When an ASP.NET application is running under IIS6.0 in Windows 2003 Server with impersonation, what user account is relevant for deciding file read/write/execute access privileges? I have two scenarios where I am trying to understand what access to grant/revoke. I thought the most relevant user is probably the identity specified in the Application Pool, but that doesn't seem to be the whole story.
The first issue concerns executing a local batch file via System.Diagnostics.Process.Start()--I can't do so when the AppPool is set to IWAM_WIN2K3WEB user, but it works fine if it is set to the Network Service identity. I of course made sure that the IWAM user has execute rights on the file.
The second involves writing to a file on the local hard drive--I'd like to be able to prevent doing so via the access control list via folder properties, but even when I set up all users in the folder as "read" (no users/groups with "write" at all), our ASP.NET still writes out the file no problem. How can it if it doesn't have write access?
Google search turns up bits and pieces but never the whole story.
what user account is relevant for [..] file read/write/execute access
As a rule: Always the user account the application/page runs under.
The IWAM account is pretty limited. I don't think it has permissions to start an external process. File access rights are irrelevant at this point.
If a user account (Network Service in your case) owns a file (i.e. has created it), it can do anything to this file, even if not explicitly allowed. Check who owns your file.
Process Monitor from Microsoft is a great tool to track down subtleties like this one.
A bit more searching reveals that the IWAM user isn't that well documented and we should stick with NETWORK SERVICE or a manually-supplied identity if we want to specify permissions for that user.