I have this problem, I can create a setup for my app/database but everyone can open the backend file which is an MS Access database. I want it so we can only access the database using the frontend app. Please help me ...
You will need to create a separate front end app that accesses the database, and keep the database file somewhere secure where direct access to it is limited/restricted. You should also password-protect the file in case someone does manage to get it See tip #10 here: https://web.archive.org/web/1/http://blogs.techrepublic%2ecom%2ecom/10things/?p=552 for info about password protection (though you might find the other tips useful as well).
Whatever you do, don't rely on Access password protection. It can be cracked in minutes by tools freely available on the internet.
I would get Garry Robinson's book Real World Microsoft Access Database Protection and Security
It is the most comprehensive guide to securing an Access database that there is.
A first step, however, would be to put the backend file in a restricted folder.
Related
So, I'm building this api where each client use the same system (controllers, models). Each client has his own database and a website that connect's to this database.
Now that's the problem, this api must serve all this websites with different database connections and since I'm new to Laravel, I'm facing a hard time. What's the best way to do that?
Should I save each database in a file (for example client's id is 1, so we have a folder with a file named 1.env with database info)?
PS.: I'm using oauth2
The solution I found was: each client with his own database and a folder with "users" and a subfolder for each client. Inside, a file with database info, in login we use a global table that indicates where's the database from that user. Next step is load the database connection and check user/password. That was a quick solution.
However in my research I stumped into "multi tenancy" thing that seams way better, you can find it more on this link.
Obviously I am very new, so please bear with me.
I installed Kohana Framework in my localhost. To do is so we have to set two specific folders with write permissions to all. "chmod 666" is suggested. (here)
The remaining directories are set to 755.
My question is more directed to Apache.
Will the use of "chmod 666" create a vulnerability in a webserver?
What exacly means "write access for everyone"?
Many thanks in advance!
666 is almost always a really bad idea. The web site where you read that needs a good flogging.
"Write access for everyone" means that anyone with a user account on your system can write to that directory.
These rights are only for your current server, so if you are the only one with access to a user account on your machine you should be pretty safe. Write access for everyone means everyone with a user account on your machine has the right to write. Please note that 3rd party software (like apache) can have it's own user as well and this could be compromised if there's a exploit in that software. This way someone from the outside could gain access to that folder. It's a common practice to only give rights to users that really need access.
Note: On a normal Windows machine (don't know if this is still true with Windows 7 though) everyone has access to everyone's files. So this is just another security measure.
Hey guys, i've been googling ambitiously but my searches seem to be somewhat ambiguous so I thought i'd ask here.
My company has asked me to look into a web portal system that allows clients to log in via their browser and view/download their specific invoices / reports (the web server would be inhouse).
These (initially at least) would be static documents, pdf's, maybe excel spreadsheets and the like.
What I want to happen is a customer heads to our website (hosted elsewhere), clicks a link that takes them to a secure login for our webserver, they then enter their login details and are taken to their respective 'folder' on our webserver. Here they can download pdf's - that we keep up to date.
The main considerations are for it to be secure such that users can't access other users' folders and for users not to have to install anything to be view download their documents.
I'm setting up a pc to be a LAMP server right now, i've read WebDAV would be a good way to go but i'm not sure about how to get that working in a browser? Any advice or resources you guys can point me to give me a bit more direction would be greatly appreciated.
Thanks, Rob
If you've only got a handful of accounts to manage, apache's built-in HTTP Auth password stuff works pretty well; you write usernames and hashed passwords into an .htpasswd file with the htpasswd utility.
Then you use <Location> directives to specify the URL and directories to find the data, and inside the <Location> directives, use the Require directive to either list specific usernames or valid-user.
Just make sure your .htpasswd file isn't stored in the web root. You don't want people to get a hold of the thing and start brute-forcing your passwords (or see your other allowed users, in case client privacy is a priority).
But it is pretty heavy maintenance -- password changes pretty much have to go through a human. I imagine someone has scripts to automate that, but I wouldn't trust them very far. :)
If you want something that scales larger, I think you might be better off building such a tool yourself.
Hi Guys any help would be much appreciated.
We have an application that’s installed at several locations but we are having an issue at one particular site. In short the application settings (My.) are not being saved after a reboot. The application is build in VB.Net v3.5 Framework and we are not experiencing any issues elsewhere.
This particular site is using roaming profiles and the network administrator ensures us that the correct permissions are applied to the user account(s) and all application data is being saved to the server. I’ve asked the network admin to check for the existence of the user settings file user.config in the Application Data directory and he says it doesn’t exist.
In our application we store the connection string to the database in the application settings under the user scope. If no connection string is present or if one is present and a connection to the database cannot be made then a form is shown asking the user for the database credentials. Each morning when the users boot the machine and opens the application for the first time they are asked for these credentials but if they close the application and restart it they are not asked for them. This indicates to us that the settings are being saved but once the pc is rebooted and the application is opened for the first time they are asked for the database credentials. This seems like the settings are not persisting after a reboot.
Any thoughts/feedback would be much appreciated.
I'm wondering if it's Code Access Security preventing the file from being written?
If the sysadmin at trouble site has implemented group policy folder redirection, the user's local/roaming profile could be getting stored on a network fileshare. Code Access Security is fairly picky about letting code read/write to/from network resources.
I'm sorry that I don't have more details than this, and I didn't find any sure-fire hits on google, but searching for "code access security", "fulltrust" and any network/fileshare keywords you can think of may get you farther.
When an ASP.NET application is running under IIS6.0 in Windows 2003 Server with impersonation, what user account is relevant for deciding file read/write/execute access privileges? I have two scenarios where I am trying to understand what access to grant/revoke. I thought the most relevant user is probably the identity specified in the Application Pool, but that doesn't seem to be the whole story.
The first issue concerns executing a local batch file via System.Diagnostics.Process.Start()--I can't do so when the AppPool is set to IWAM_WIN2K3WEB user, but it works fine if it is set to the Network Service identity. I of course made sure that the IWAM user has execute rights on the file.
The second involves writing to a file on the local hard drive--I'd like to be able to prevent doing so via the access control list via folder properties, but even when I set up all users in the folder as "read" (no users/groups with "write" at all), our ASP.NET still writes out the file no problem. How can it if it doesn't have write access?
Google search turns up bits and pieces but never the whole story.
what user account is relevant for [..] file read/write/execute access
As a rule: Always the user account the application/page runs under.
The IWAM account is pretty limited. I don't think it has permissions to start an external process. File access rights are irrelevant at this point.
If a user account (Network Service in your case) owns a file (i.e. has created it), it can do anything to this file, even if not explicitly allowed. Check who owns your file.
Process Monitor from Microsoft is a great tool to track down subtleties like this one.
A bit more searching reveals that the IWAM user isn't that well documented and we should stick with NETWORK SERVICE or a manually-supplied identity if we want to specify permissions for that user.