Search Results

Search found 16101 results on 645 pages for 'owsm webservices ws security ws trust soa secuirty'.

Page 152/645 | < Previous Page | 148 149 150 151 152 153 154 155 156 157 158 159 | Next Page >

How to Protect Sensitive (HIPAA) SQL Server Standard Data and Log Files

- by Quesi

I am dealing with electronic personal health information (ePHI or PHI) and HIPAA regulations require that only authorized users can access ePHI. Column-level encryption may be of value for some of the data, but I need the ability to do like searches on some of the PHI fields such as name. Transparent Data Encryption (TDE) is a feature of SQL Server 2008 for encrypting database and log files. As I understand it this prevents someone who gains access to the MDF, LDF, or backup files from being able to do anything with the files because they are encrypted. TDE is only on enterprise and developer versions of SQL Server and enterprise is cost-prohibitive for my particular scenario. How can I get similar protection on SQL Server Standard? Is there a way to encrypt the database and backup files (is there a third-party tool)? Or just as good, is there a way to prevent the files from being used if the disk were attached to another machine (linux or windows)? Administrator access to the files from the same machine is fine, but I just want to prevent any issues if the disk were removed and hooked up to another machine. What are some of the solutions for this that are out there?

Read the article
How to disable 3rd party cookies in Chrome?

- by David Nordvall

I have both the "stop websites from storing local data" and the "block all third party cookies without exception" settings enabled in Chrome 12 (I'm not sure what the exact names of these settings are in english as I run Chrome with swedish localization). I do however have two problems. My first problem is that when I'm visiting one of my local news paper's site (and surely other), cookies from www.facebook.com is allowed for some reason. I suspect that the reason is that I have added an exception to the www.facebook.com domain but as the setting "block all third party cookies without exception" implies, that shouldn't matter. My second problem is that if I check what cookies are stored on my computer after browsing for a while, I have tons of cookies that are not on my white list. Primarily from ad services. My expectations from enabling the above mentioned settings was that only cookies that fulfill the two folling requirements would be accepted: the cookies must be from the domain in my address bar the cookies must be from a domain on my whitelist Apparently this isn't the case. The question is, have I completely misunderstood the settings or is this a bug? And, either way, is there a way to accomplish my desired behavior?

Read the article
Static NAT in AWS's Virtual Private Cloud (VPC)

- by user1050797

Currently in a VPC with a public and a private subnet, all internet bound traffic from the private subnet could be routed via an NAT instance. The NAT instance will port address translate the packet's source IP to use the NAT instance's elastic IP, so the public server can reply to this public address. This is a PAT mechanism. My question is there a way for me to do a static NAT on my NAT instance -- Using the same NAT instance to static NAT an unassociated but reserved elastic IP to a private subnet host. This NAT instance will behave like a physical firewall doing static nat'ing for a bunch of private ip's.

Read the article
What consequences to take from what i read in logfiles?

- by Helene Bilbo

Since some weeks i manage my first Webserver, a Seaside application behind an Apache proxy on Linode, and i installed logwatch to send me daily logs. Where can i get information on when i have to act as a consequence of what i read in these logwatch reports? For example i read that all kinds of people try to login on funny nonexisting accounts or all kinds of webcrawlers test for nonexisting cms login pages, some ip adresses get banned and unbanned by fail2ban... I assume that's normal? Is it? But how do i know that i probably have to do something? What do i look for in the logs?

Read the article
mod_security2 and w00tw00t attacks

- by Saif Bechan

I have a server with apache and i recently installed mod_config2 because I get attacked a lot by this: My apache version is apache v 2.2.3 and i user mod_security2.c [Wed Mar 24 02:35:41 2010] [error] [client 88.191.109.38] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Wed Mar 24 02:47:31 2010] [error] [client 202.75.211.90] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Wed Mar 24 02:47:49 2010] [error] [client 95.228.153.177] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Wed Mar 24 02:48:03 2010] [error] [client 88.191.109.38] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) I tried configuring mod_security2 like this: SecFilterSelective REQUEST_URI "w00tw00t.at.ISC.SANS.DFind" SecFilterSelective REQUEST_URI "\w00tw00t.at.ISC.SANS" SecFilterSelective REQUEST_URI "w00tw00t.at.ISC.SANS" SecFilterSelective REQUEST_URI "w00tw00t.at.ISC.SANS.DFind:" SecFilterSelective REQUEST_URI "w00tw00t.at.ISC.SANS.DFind:)" The thing in mod_security2 is that SecFilterSelective can not be used, it gives me erros. Instead i use a rule like this: SecRule REQUEST_URI "w00tw00t.at.ISC.SANS.DFind" SecRule REQUEST_URI "\w00tw00t.at.ISC.SANS" SecRule REQUEST_URI "w00tw00t.at.ISC.SANS" SecRule REQUEST_URI "w00tw00t.at.ISC.SANS.DFind:" SecRule REQUEST_URI "w00tw00t.at.ISC.SANS.DFind:)" Even this does not work. I don't know what to do anymore. Anyone have any advice?

Read the article
OpenVPN vs. IPSec - Pros and Cons, what to use?

- by jens

interestingly I have not found any good searchresults when searching for "OpenVPN vs IPSec": I need to setup a private LAN over an untrusted network. And as far as I know, both approaces seem to be valid. But I do not know which one is better. I would be very thankfull If you can list the pro's and con's of both approaches and maybe your suggestions and experiences what to use. Update (Regarding the comment/question): In my concrete case the goal is to have any number of Servers (with static IPs) be connected transparently with each other. But a small portion of "dynamic clients like road warriors" (with dynamic IPs) should also be able to connect. The main goal is however having a "transparent secure network" run top of untrusted network. I am quite a newbie so I do not know how to correctly interprete "1:1 Point to Point Connections" = The solution should support Broadcasts and all that stuff so it is a fully functional network... Thank you very much!! Jens

Read the article
Returning "200 OK" in Apache on HTTP OPTIONS requests

- by i.

I'm attempting to implement cross-domain HTTP access control without touching any code. I've got my Apache(2) server returning the correct Access Control headers with this block: Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Methods "POST, GET, OPTIONS" I now need to prevent Apache from executing my code when the browser sends a HTTP OPTIONS request (it's stored in the REQUEST_METHOD environment variable), returning 200 OK. How can I configure Apache to respond "200 OK" when the request method is OPTIONS? I've tried this mod_rewrite block, but the Access Control headers are lost. RewriteEngine On RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule ^(.*)$ $1 [R=200,L]

Read the article
Good infrastructure design questions for software developers?

- by JakeRobinson

Building on Jeff's blog post titled Vampires (Programmers) versus Werewolves (Sysadmins) From my perspective, the whole point of the company is to talk about what we're doing. Getting things done is important, of course, but we have to stop occasionally to write up what we're doing, how we're doing it, and why we're even doing it in the first place -- including all our doubts and misgivings and concerns. So, what are some questions you ask your software developers when they request a server?

Read the article
VPN Error 619: Behind Cisco Router WRT310N

- by ty91011

I've researched a lot on all the forums and this error is too generic for any of the proposed solutions to work. I'll try to give as much detail and tried solutions. I'm running a CentOS PPTP server behind a Cisco WRT310N Router. Multiple clients from outside with different OS have failed with the same error 619, along with turning off windows firewall and disabling antivirus. I believe this is a router and IP routing issue, and not a client issue. When I connect from a client on the same router as the VPN server, it works when I use the 192. network address- but doesn't work with the public IP address. I've tried telnet to port 1723 from an outside server and I get in. I've opened up the VPN port (1723) on the router, VPN udp port (500), and the GRE port (47) to route to the VPN server's ip. Also, the server's router is behind a DSL modem. I had a glimmer of hope when this site: http://www.chicagotech.net/casestudy/vpnerror619.htm suggested that the PPoE authentication should reside on the router and not the modem. But I still came up empty. So does anybody know what the problem is?

Read the article
Identifying mail account used in CRAM-MD5 transaction

- by ManiacZX

I suppose this is one of those where the tool for identifying the problem is also the tool used for taking advantage of it. I have a mail server that I am seeing emails that spam is being sent through it. It is not an open relay, the messages in question are being sent by someone authenticating to the smtp with CRAM-MD5. However, the logs only capture the actual data passed, which has been hashed so I cannot see what user account is being used. My suspicion is a simple username/password combo or a user account's password has otherwise been compromised, but I cannot do much about it without knowing what user it is. Of course I can block the IP that is doing it, but that doesn't fix the real problem. I have both the CRAM-MD5 Base64 challenge string and the hashed client auth string containing the username, password and challenge string. I am looking for a way to either reverse this (which I haven't been able to find any information on) or otherwise I suppose I need a dictionary attack tool designed for CRAM-MD5 to run through two lists, one for username and one for password and the constant of the challenge string until it finds a matching result of the authentication string I have logged. Any information on reversing using the data I have logged, a tool to identify it or any alternative methods you have used for this situation would be greatly appreciated.

Read the article
Windows file sharing with a private LAN when a public VPN is connected?

- by netvope

OS: Windows Vista My LAN interface is configured as a "private network". I want to have all the sharing and discovery features (Network Discovery, File Sharing, Public Folder Sharing, Printer Sharing, Password Protected Sharing, and Media Sharing), so I enabled them all. My VPN interfaces are configured as "public networks", and I do NOT want to have any of the above features. Now the problem is that if I disabled these sharing features while a VPN is connected, it affects both interfaces. I guess the Network and Sharing Center is probably an oversimplified tool that may not support multiple interfaces. Where can I tell Windows to enable sharing features for the private networks and not the public networks? For file sharing, I think I can disable "File and Printer Sharing for MS Networks" in each of the VPNs' properties. However, I will need to disable it every time I add a new VPN. Moreover, I can't find how to disable Media Sharing by this way. If this can be more easily done in Windows XP or 7, please let me know.

Read the article
Bad to be logged in as admin all the time?

- by poke

At the office where I work, three of the other members of the IT staff are logged into their computers all the time with accounts that are members of the domain administrators group. I have serious concerns about being logged in with admin rights (either local or for the domain). As such, for everyday computer use, I use an account that just has regular user privelages. I also have an different account that is part of the domain admins group. I use this account when I need to do something that requires elevated privilages on my computer, one of the servers, or on another user's computer. What is the best practice here? Should network admins be logged in with rights to the entire network all the time (or even their local computer for that matter)?

Read the article
Exchange 2010 OWA with Client Certificates

- by Christian

I have enabled Client Certificate Authentication for Exchange 2010 through IIS7 and the users are prompted to choose their User Certificate when they log in, but they are all then presented with the following error message Request Url: https://<domain_name>:443/owa/ User host address: <server_ip_address> OWA version: 14.1.355.2 Exception Exception type: System.NullReferenceException Exception message: Object reference not set to an instance of an object. Call stack Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.GetUserIdentities(OwaContext owaContext, OwaIdentity& logonIdentity, OwaIdentity& mailboxIdentity, Boolean& isExplicitLogon, Boolean& isAlternateMailbox, ExchangePrincipal& logonExchangePrincipal) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.OwaRequestEventInspector.OnPostAuthorizeRequest(Object sender, EventArgs e) System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) The method I followed to enable Certificate authentiaction was from this post: http://www.miru.ch/2011/04/how-to-enable-certificate-based-authentication-on-exchange-2010/ Any ideas? Google isn't being very helpful

Read the article
Bad ways to secure wireless network c

- by Moshe

I was wondering if anybody had any thoughts on this, as I recently saw a Verizon DSL network set up where the WEP key was the last 8 characters of the router's MAC address. (It's bad enough that hey were using WEP in the first place...)

Read the article
Default document not working after installing SP1 on Windows 2008 R2 x64

- by boredgeek

We have a web site that should only be available for authorized users. So we deny anonymous access for the site. However we do allow anonymous access to the default page and the login page. When we installed SP1 the behavior of the server changed. Now if the user is trying to access the root of the site, say http://mysite.com, she is redirected to login page rather than the default page. Is there a hotfix to bring back the previous behavior?

Read the article
Steps to hardening JBoss for production use on Windows?

- by Brian

Looking for resources/guidance on hardening a JBoss installation on windows for production use.

Read the article
IIS7 authentication

- by Kev

To give our user's the ability to protect content on their IIS6 sites we used a tool called IISPassword which emulates .htaccess to provide Basic authentication. There isn't support for IISPassword on IIS7 at the moment. Is there an equivalent mechanism I can use built into IIS7 instead? I'm well aware of ASP.NET Forms Authentication, but I need a way for users deploying non-ASP.NET content (such as PHP, Perl, images etc) to be able to use Basic authentication but not have to write code to achieve this. Is this possible?

Read the article
Nginx Password Protect Directory Downloads Source Code

- by Pamela

I'm trying to password protect a WordPress login page on my Nginx server. When I navigate to http://www.example.com/wp-login.php, this brings up the "Authentication Required" prompt (not the WordPress login page) for a username and password. However, when I input the correct credentials, it downloads the PHP source code (wp-login.php) instead of showing the WordPress login page. Permission for my htpasswd file is set to 644. Here are the directives in question within the server block of my website's configuration file: location ^~ /wp-login.php { auth_basic "Restricted Area"; auth_basic_user_file htpasswd; } Alternately, here are the entire contents of my configuration file (including the above four lines): server { listen *:80; server_name domain.com www.domain.com; root /var/www/domain.com/web; index index.html index.htm index.php index.cgi index.pl index.xhtml; error_log /var/log/ispconfig/httpd/domain.com/error.log; access_log /var/log/ispconfig/httpd/domain.com/access.log combine$ location ~ /\. { deny all; access_log off; log_not_found off; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location /stats/ { index index.html index.php; auth_basic "Members Only"; auth_basic_user_file /var/www/web/stats/.htp$ } location ^~ /awstats-icon { alias /usr/share/awstats/icon; } location ~ \.php$ { try_files /b371b8bbf0b595046a2ef9ac5309a1c0.htm @php; } location @php { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/lib/php5-fpm/web11.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors on; } location / { try_files $uri $uri/ /index.php?$args; client_max_body_size 64M; } location ^~ /wp-login.php { auth_basic "Restricted Area"; auth_basic_user_file htpasswd; } } If it makes any difference, I'm using Ubuntu 14.04.1 LTS with Nginx 1.4.6 and ISPConfig 3.0.5.4p3.

Read the article
Finding a backup and synchronization solution

- by Andrea Zilio

I'm having difficulties to find a backup and synchronization solution with the following characteristics: Cross-platform: Windows, Linux, Mac Offsite backup (so Internet Backup) Data deduplication Transfer only new/modified bits of modified files Secure: Data encrypted before leaving computer Maintain multiple versions of files (even deleted files) Folder synchronization integrated with backup and across multiple computers connected to the internet (not necessarily in the same LAN) I think that the Folder Sync feature needs a better explanation. The use case is this: you have a desktop pc and a laptop. The desktop pc contains a folder with some files and this folder is part of the backup (so it was selected to be backed up). The laptop does not contain that folder or that files at all. Then you're abroad with your laptop and you need that folder. So you want to be able to open the backup program, select that folder from the backup and download it in your laptop mantaining it synchronized with the backed up version. When you then come back home and switch on your desktop pc you want the folder we're talking about to be updated in the desktop PC. Does anyone knows any service with all these features? I've only found SpiderOak to support all the features I've mentioned but I'm not completely satisfied by the time taken to complete a backup. Sometimes it seems to hang for minutes with no reasons at all and folder synchronization occurs only after all files are backed up (instead folder sync should have a separated queue independent from other backup operations and synchronization should occurs frequently... for example every 5 minutes or less, independently from the frequency of normal backup operations)

Read the article
If I'm a web server, for which accounts can I turn off shells within passwd file?

- by eric01

I am making a web server running LAMP and want to access it using SSH. When I open the passwd file, I see all those accounts and I want to know for which ones I can put false. I have the following accounts: root, daemon, bin, sys, sync, games, man, lp, mail, news, uucp, proxy, www-data backup, list, irc, gnats, nobody, libuuid, syslog, messagebus, whoopsie, mandscape, sshd, eric Except root, sshd and eric, which ones should I not disable? How about www-data and sshd? Thanks a lot for your help.

Read the article
.htaccess to deny access to most xml files

- by CEich

I recently had a Joomla site hacked, so I'm trying to harden the site a bit. There's a section in the recommended .htaccess that restricts outside access to the xml files that come with extensions. However, it also keeps my sitemap.xml file from being accessed. How do I allow a certain file whiles keeping the rest? here's the default code: <Files ~ "\.xml$"> Order allow,deny Deny from all Satisfy all </Files> and my modification that caused a 500 error: <Files ~ "(?!sitemap)\.xml$"> Order allow,deny Deny from all Satisfy all </Files>

Read the article
NIS: which mechanism hides shadow.byname for unpriviledged users?

- by Mark Salzer

On some Linux box (SLES 11.1) which is a NIS client I can do as root: ypcat shadow.byname and get output, i.e. some lines with the encrypted passwords, amongst other information. On the same Linux box, if I run the same command as unpriviledged user, I get No such map shadow.byname. Reason: No such map in server's domain Now I am surprised. My good old knowlege says that shadow passwords in NIS are absurd because there is no access control or authentication in the protocol and thus every (unpriviledged) user can access the shadow map and thereby obtain the encrypted passwords. Obviously we have a different picture here. Unfortunately I don't have access to the NIS server to figure out what is happening. My only guess is that the NIS master gives the map only to clients conection from a priviledged port (1024), but this is only an uneducated guess. What mechanisms are there in current NIS implementations to lead to a behavior like the above? How "secure" are they? Can the be circumvented easily? Or are shadow passwords in NIS as secure as the good old shadow files?

Read the article
What is the best/easiest way to use scripts to analyze network traffic?

- by yungin

I'm looking to analyze packets via scripts. I'd like to use something high level. I'm in a mac/linux environment. I'm currently looking at different python+libpcap libraries. Perhaps lua+wireshark too. Maybe tcpdump+bash (but not sure that has a lot of info i can use). I also heard good things about scapy. Not sure. I'm wondering if you have any recommendations? There's quite a few of them out there. What have you found that works best? I'd definitely want something scriptable not something that I need to compile (like c/c++, etc)

Read the article
Disabling partition just for one OS on multi-boot system

- by Emiswelt

Hi Regarding to the solution there: http://serverfault.com/questions/36385/how-can-i-mount-a-hard-drive-as-read-only-on-windows-xp I have a system with three partitions. One runs windows 7, one runs windows XP and is for some experimental programming and testing. I don't want to mess up anything, so I am going to disable the windows 7 partition like described on the linked page above from windows XP to protect the operating system. When I do this, is the windows 7 partition only disabled for the running XP os, or is the windows 7 partition rendered unbootable? with best regards

Read the article
hosting people asking for my account username and password to enable curl and socket function only for me

- by Jayapal Chandran

I have hosted my site in a shared environment. My hosting people disabled socket function all together. and they said that we can enable only for you if i given a written statement. I did but they asked for my control panel login details so they will run some kind of script to enable it. Is it right for the hosting company to ask for credentials. They have the total control so why cant they do it? Edit: Before six months many websites in their server got hacked. So they think it would be because of socket functions and had disabled it. They say they can enable it for specific users who do programming using that and that is by email request.

Read the article

< Previous Page | 148 149 150 151 152 153 154 155 156 157 158 159 | Next Page >