Search Results

Search found 13454 results on 539 pages for 'ws security'.

Page 70/539 | < Previous Page | 66 67 68 69 70 71 72 73 74 75 76 77  | Next Page >

  • Is reliance on parametrized queries the only way to protect against SQL injection?

    - by Chris Walton
    All I have seen on SQL injection attacks seems to suggest that parametrized queries, particularly ones in stored procedures, are the only way to protect against such attacks. While I was working (back in the Dark Ages) stored procedures were viewed as poor practice, mainly because they were seen as less maintainable; less testable; highly coupled; and locked a system into one vendor; (this question covers some other reasons). Although when I was working, projects were virtually unaware of the possibility of such attacks; various rules were adopted to secure the database against corruption of various sorts. These rules can be summarised as: No client/application had direct access to the database tables. All accesses to all tables were through views (and all the updates to the base tables were done through triggers). All data items had a domain specified. No data item was permitted to be nullable - this had implications that had the DBAs grinding their teeth on occasion; but was enforced. Roles and permissions were set up appropriately - for instance, a restricted role to give only views the right to change the data. So is a set of (enforced) rules such as this (though not necessarily this particular set) an appropriate alternative to parametrized queries in preventing SQL injection attacks? If not, why not? Can a database be secured against such attacks by database (only) specific measures? EDIT Emphasis of the question changed slightly, in the light of the initial responses received. Base question unchanged. EDIT2 The approach of relying on paramaterized queries seems to be only a peripheral step in defense against attacks on systems. It seems to me that more fundamental defenses are both desirable, and may render reliance on such queries not necessary, or less critical, even to defend specifically against injection attacks. The approach implicit in my question was based on "armouring" the database and I had no idea whether it was a viable option. Further research has suggested that there are such approaches. I have found the following sources that provide some pointers to this type of approach: http://database-programmer.blogspot.com http://thehelsinkideclaration.blogspot.com The principle features I have taken from these sources is: An extensive data dictionary, combined with an extensive security data dictionary Generation of triggers, queries and constraints from the data dictionary Minimize Code and maximize data While the answers I have had so far are very useful and point out difficulties arising from disregarding paramaterized queries, ultimately they do not answer my original question(s) (now emphasised in bold).

    Read the article

  • Can see samba shares but not access them

    - by nitefrog
    For the life of me I cannot figure this one out. I have samba installed and set up on the ubuntu box and on the Win7 box I CAN SEE all the shares I created. I created two users on ubuntu that map to the users in windows. On ubuntu they are both admins, user A & B on Windows User A is admin and user B is poweruser. User A can see both shares and access them, but user B can see everythin, but only access the homes directory, the other directory throws an error. I have two drives in Ubuntu and this is the smb.config file (I am new to samba): [global] workgroup = WORKGROUP server string = %h server (Samba, Ubuntu) wins support = no dns proxy = yes name resolve order = lmhosts host wins bcast log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user ; usershare max shares = 100 usershare allow guests = yes And here is the share section: Both user A & B can access this from windows. No problems. [homes] comment = Home Directories browseable = no writable = yes Both User A & B can see this share, but only user A can access it. User B get an error thrown. [stuff] comment = Unixmen File Server path = /media/data/appinstall/ browseable = yes ;writable = no read only = yes hosts allow = The permission for the media/data/appinstall/ is as follows: appInstall properties: share name: stuff Allow others to create and delete files in this folder is cheeked Guest access (for people without a user account) is checked permissions: Owner: user A Folder Access: Create and delete files File Access: --- Group: user A Folder Access: Create and delete files File Access: --- Others Folder Access: Create and delete files File Access: --- I am at a loss and need to get this work. Any ideas? The goal is to have a setup like this. 3 users on window machines. Each user on the data drive will have their own personal folder where they are the ones that can only access, then another folder where 2 of the users will have read only and one user full access. I had this setup before on windows, but after what happened I am NEVER going back to windows, so Unix here I am to stay! I am really stuck. I am running Ubuntu 11. I could reformat again and put on version 10 if that would make life easier. I have been dealing with this since Wed. 3pm. Thanks.

    Read the article

  • How to set up an rsync backup to Ubuntu securely?

    - by ws_e_c421
    I have been following various other tutorials and blog posts on setting up a Ubuntu machine as a backup "server" (I'll call it a server, but it's just running Ubuntu desktop) that I push new files to with rsync. Right now, I am able to connect to the server from my laptop using rsync and ssh with an RSA key that I created and no password prompt when my laptop is connected to my home router that the server is also connected to. I would like to be able to send files from my laptop when I am away from home. Some of the tutorials I have looked at had some brief suggestions about security, but they didn't focus on them. What do I need to do to let my laptop with send files to the server without making it too easy for someone else to hack into the server? Here is what I have done so far: Ran ssh-keygen and ssh-copy-id to create a key pair for my laptop and server. Created a script on the server to write its public ip address to a file, encrypt the file, and upload to an ftp server I have access to (I know I could sign up for a free dynamic DNS account for this part, but since I have the ftp account and don't really need to make the ip publicly accessible I thought this might be better). Here are the things I have seen suggested: Port forwarding: I know I need to assign the server a fixed ip address on the router and then tell the router to forward a port or ports to it. Should I just use port 22 or choose a random port and use that? Turn on the firewall (ufw). Will this do anything, or will my router already block everything except the port I want? Run fail2ban. Are all of those things worth doing? Should I do anything else? Could I set up the server to allow connections with the RSA key only (and not with a password), or will fail2ban provide enough protection against malicious connection attempts? Is it possible to limit the kinds of connections the server allows (e.g. only ssh)? I hope this isn't too many questions. I am pretty new to Ubuntu (but use the shell and bash scripts on OSX). I don't need to have the absolute most secure set up. I'd like something that is reasonably secure without being so complicated that it could easily break in a way that would be hard for me to fix.

    Read the article

  • SSL + Jquery + Ajax

    - by chobo2
    Hi I starting too look at a bit of security into my site. My site I would consider a very low security risk as it has really no personal information from the user other than email. However the security risk will go up a bit as I am partnering with a company and the initial password for this companies users will be the same password they use essentially to get onto the network and every piece of software. So I have up my security( what is fine by me...I wanted to get around to this anyways). So one of my security concerns is this. A user logs in. form submit(non ajax is done). Password is hashed & Salted and compared to one in the database. Reject or let them proceed. So this uses no jquery or ajax but is just asp.net mvc and C#. Still if my understanding is right the password is sent in clear text. So if a use SSL and I would not need to worry about that is this correct? If that is true is that all I need? Second the user can change their password at anytime. This is done through ajax. So when the password is sent it is sent in clear text( and I can verify this by looking at firebug). So if I have SSL enabled on this page is that all I need or do I need to do more? So I am just kinda confused of what I need to make the password being sent to the server(both ajax and full post ways secure). I am not sure if I need to do more then SSL or if that is enough and if it is not enough what is the next layer of security?

    Read the article

  • Why do I get Access Denied when using WinRM?

    - by Kev
    Following on from this question: Why does my PowerShell script hang when called in PSEXEC via a batch (.cmd) file? I took the advice from Jim B and installed WinRM. To recap I have two servers: HMon01 - runs Windows 2003 Standard SP2 Web1928 - runs Windows 2008 Standard SP2 Both servers are standalone. I installed WinRM for Windows 2003 from here and configured WinRM as follows on both machines: Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = false Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true DefaultPorts HTTP = 80 HTTPS = 443 TrustedHosts = * The problem I have is that if I remotely execute commands using the remote machine's built in Administrator account then all is well. However I have an account on the remote machine named remoteexec which is a member of the Administrators group (we disable our Administrator accounts). If I use this account then I get Access Denied errors. I've done all the usual things such as checking passwords and the like. Why would this be?

    Read the article

  • apt-get update error after removing apt-key

    - by Caterpillar
    After Running apt-get update on ubuntu 10.04 server, I found this issue, Can any help me to solve this issue. Before this I had remove apt-key. Where can I get this apt-key to add it again. apt-get update Get:1 http://security.ubuntu.com lucid-security Release.gpg [198B] Ign http://security.ubuntu.com/ubuntu/ lucid-security/main Translation-en_IN Ign http://security.ubuntu.com/ubuntu/ lucid-security/restricted Translation-en_IN Get:2 http://in.archive.ubuntu.com lucid Release.gpg [189B] Ign http://in.archive.ubuntu.com/ubuntu/ lucid/main Translation-en_IN Ign http://in.archive.ubuntu.com/ubuntu/ lucid/restricted Translation-en_IN Ign http://security.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_IN Ign http://security.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_IN Get:3 http://security.ubuntu.com lucid-security Release [44.7kB] Err http://security.ubuntu.com lucid-security Release Ign http://in.archive.ubuntu.com/ubuntu/ lucid/universe Translation-en_IN Ign http://in.archive.ubuntu.com/ubuntu/ lucid/multiverse Translation-en_IN Get:4 http://in.archive.ubuntu.com lucid-updates Release.gpg [198B] Ign http://in.archive.ubuntu.com/ubuntu/ lucid-updates/main Translation-en_IN Ign http://in.archive.ubuntu.com/ubuntu/ lucid-updates/restricted Translation-en_IN Ign http://in.archive.ubuntu.com/ubuntu/ lucid-updates/universe Translation-en_IN Ign http://in.archive.ubuntu.com/ubuntu/ lucid-updates/multiverse Translation-en_IN Hit http://in.archive.ubuntu.com lucid Release Ign http://in.archive.ubuntu.com lucid Release Get:5 http://in.archive.ubuntu.com lucid-updates Release [44.7kB] Err http://in.archive.ubuntu.com lucid-updates Release Hit http://in.archive.ubuntu.com lucid/main Packages Hit http://in.archive.ubuntu.com lucid/restricted Packages Hit http://in.archive.ubuntu.com lucid/main Sources Hit http://in.archive.ubuntu.com lucid/restricted Sources Hit http://in.archive.ubuntu.com lucid/universe Packages Hit http://in.archive.ubuntu.com lucid/universe Sources Hit http://in.archive.ubuntu.com lucid/multiverse Packages Hit http://in.archive.ubuntu.com lucid/multiverse Sources Fetched 587B in 1s (465B/s) Reading package lists... Done W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used.GPG error: http://security.ubuntu.com lucid-security Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 W: GPG error: http://in.archive.ubuntu.com lucid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used.GPG error: http://in.archive.ubuntu.com lucid-updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/lucid-security/Release W: Failed to fetch http://in.archive.ubuntu.com/ubuntu/dists/lucid-updates/Release W: Some index files failed to download, they have been ignored, or old ones used instead.

    Read the article

  • Open file - Security warning

    - by joker
    Does anyone know how to disable the unknown publisher security warning when running an application in Windows Xp Home? It's pretty annoying to have to click run everytime... I have tried: Run gpedit.msc, and go to Local Computer Policy-User Configuration-Administrative Templates-Windows Components-Attachment Manager and enable "Default risk level for file attachments", and then enable "Inclusion list for low risk file types" and add to this list the file extensions that you want to open without triggering this crap. But this file 'gpedit.msc' doest not exist on my computer, i checked system32 folder also =/ maybe its for xp pro

    Read the article

  • SSL security error

    - by shah
    What would the reason of getting the following error? Microsoft OLE DB Provider for SQL Server error '80004005' [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error.

    Read the article

  • http, https and ftp is not working but smtp and imap is working

    - by Unicron
    hi all, yesterday on a computer of a friend a strange thing happened. after booting the ports fo http, https and ftp are closed but e-mail is still working. in the control panel the windows firewall seems active even if he tries to deactivate it. i have a suspision that it is the faul of norton internet security 2010, we have tried to uninstall it, but the uninstallation did not work. when using the removal tool from symantec it just goes to 23% and then it crashes. the process ccSvcHst.exe is still running. how can i safeley remove the rest of norton internet security? thanks in advance [edit] norton internet security 2010 is sucesfully removed, but still no connectivity

    Read the article

  • McAfee Security Scan appears out of thin air

    - by Jacques
    Hi, We have a Windows Server 2008 Standard edition server and when we logged in today a service, McAfee Security Scan, had been installed. I checked all the logs, but can't find any trace of who or how this install was initiated. We already use Nod32 so there would be no reason for us to install McAfee. Any idea how this happens? I did look for other installs like Flash or the like, but didn't see anything. Thanks Jacques

    Read the article

  • Users can't change password trough OWA for Exchange 2010

    - by Rémy Roux
    Here's our problem, users who want to change their password trough OWA get this error "The password you entered doesn't meet the minimum security requirements.", even if users are respecting the minimum security requirements. With these settings, we have the error: Enforced password history 1 passwords remembered Maximum password age 185 days Minimum password age 1 day Minimum password length 7 characters Password must meet complexity requirements enabled With these test settings, we don't have an error: Enforced password history not defined Maximum password age not defined Minimum password age not defined Minimum password length not defined Password must meet complexity requirements not defined People can change their password but there is no more security! Just changing one parameter of the GPO for example "Enforced password history", brings back this error. Here's our server configuration : Windows Server 2008 R2 Exchange Server 2010 Version: 14.00.0722.000 If anybody has a clue it would very helpful !

    Read the article

  • Cannont add service account to domain group during sql cluster install

    - by Sam
    I'm installing a 2008 instance on a 2003 machine which is already running 2005. I need to set up domain groups for the security setup step: http://msdn.microsoft.com/en-us/library/ms179530.aspx On Windows Server 2003, specify domain groups for SQL Server services. All resource permissions are controlled by domain-level groups that include SQL Server service accounts as group members. Much more info on this here: http://support.microsoft.com/kb/910708 I've had problems with being able to add the windows service accounts to the groups at install time. The security admins had to make my account a domain admin - which they were hesitant to do. The account under which SQL Server Setup is running must have permissions to add accounts to the domain groups. Is there a specific security setting which would allow my account to add accounts to a group?

    Read the article

  • Security System Preference won't open on Macos 10.6 Snow Leopard

    - by adambox
    When I try to open the Security preference pane on my iMac running Mac OS 10.6.6, it says "loading..." and it never opens. I get this in the console: 3/5/11 4:16:56 PM System Preferences[724] Could not connect the action resetLocationWarningsSheetOk: to target of class AppleSecurity_Pref 3/5/11 4:16:56 PM System Preferences[724] Could not connect the action resetLocationWarningsSheetCancel: to target of class AppleSecurity_Pref 3/5/11 4:16:56 PM System Preferences[724] *** -[NSCFDictionary initWithObjects:forKeys:count:]: attempt to insert nil value at objects[0] (key: NSFont)

    Read the article

  • Secure Server Distro

    - by Drama
    Hello, I have a root-server (i7/24GB/1TB) running Ubuntu 10.04 LTS as my OS. After some security audits (OpenVAS, Retina etc) I see that Ubuntu isn't the most secure system for a semi-corporate environment. Its updated from many sources, ofc from the Ubuntu security repo too. But nevertheless I could exploit my OpenSSL install with an exploit from August/September. There are some critical updates needed which Ubuntu does not provide. I was using Debian and Ubuntu for almost 5 years but now I doubt. What distro is secure and up to date from your point of view? How can I make the server more secure? Outsourcing of every software-module to a VM? I am not new to server-hardening, my packages are up to date I read Ubuntu Security Notices and I have no unneeded services installed on my server. Thanks.

    Read the article

  • How to integrate a mirror WS without client reconfiguration?

    - by tzup
    I have a web service hosted by IIS server 1 and another web service hosted by IIS server 2. Is there a way to have the WS on server 2 automatically pick up when the WS on server 1 is unavailable, without having to reconfigure the clients (which are desktop applications in this case). There must be some tools that perform such tasks, please help. Thank you. EDIT The two web services expose the same functionality, so basically I am trying to setup a high-availability cluster (ie failover cluster)

    Read the article

  • debian LTS : how to keep packages up-to-date with last security fixes using apt

    - by Quentin
    What's the best way to keep packages up-to-date (ie with the last security fixes) without worried about major version update ? For instance, apache2 for squeezeis is 2.2.16 (https://packages.debian.org/source/squeeze/apache2) However, last apache2 version for the 2.2.x branch is 2.2.27 Test repository can't be used since they use the 2.4.x versions and I'd like to stick on the 2.2.x (to avoid migration issues) How would you handle this situation and how can I update to 2.2.27 ?

    Read the article

  • HTTP, HTTPS and FTP is not working but SMTP and IMAP are working.

    - by nWorx
    Yesterday on a computer of a friend a strange thing happened. after booting the ports fo http, https and ftp are closed but e-mail is still working. in the control panel the windows firewall seems active even if he tries to deactivate it. I have a suspision that it is the faul of norton internet security 2010, we have tried to uninstall it, but the uninstallation did not work. when using the removal tool from symantec it just goes to 23% and then it crashes. the process ccSvcHst.exe is still running. How can I safely remove the rest of Norton Internet Security? Edit: Norton Internet Security 2010 is sucesfully removed, but still no connectivity...

    Read the article

  • AD reset user passwords for a security group

    - by Nathan C
    I'm not quite sure if this is possible or not, but I need to force a certain security group's users to have their passwords expire so they'll be forced to change them on next login. The reason for this is because I applied a FGPP (password policy) to this particular group in order to enforce strong passwords. Well, many users have really weak passwords and they won't be changed unless they're forced. Is there a way to do this without forcing everyone to a single password?

    Read the article

  • Amazon EC2 open ports for security groups present in other accounts

    - by rahul
    Hi, Assume, I am having 2 ec2 accounts (say A and B), both have different list of security groups. Now I want to open a particular port (say 80) for an instance running in account A, to account B. ie, I want to only allow account B instances, to access account A's 80 port. Could any one update me, is there a way to do this.?? Additionally, may I access account A's instance from account B's instance by using its private ip address/host name ?? Thanks in Advance,

    Read the article

  • Logins with only HTTP - are they as insecure as I'm thinking?

    - by JoeCool1986
    Recently I was thinking about how websites like gmail and amazon use HTTPS during the login process when accessing your account. This makes sense, obviously, since you're typing in your account username and password and you would want that to be secure. However, on Facebook, among countless other websites, their logins are done with simple HTTP. Doesn't that mean that my login name and password are completely unencrypted? Which, even worse, means that all those people who login to their facebooks (or similar sites) at a wifi hotspot in public are susceptible to anyone getting their credentials using a simple packet sniffer (or something similar)? Is it really that easy? Or am I misunderstanding internet security? I'm a software engineer working on some web related stuff, and although at the current time I'm not too involved with the security aspect of our software, I knew I should probably know the answer to this question, since it's extremely fundamental to website security. Thanks!

    Read the article

  • How to effectively secure a dedicated server for intranet use?

    - by Mark
    I need to secure a dedicated server for intranet use, the server is managed so will have software based security, but what other security should be considered for enterprise level security? The intranet is a host for an ECM (Alfresco) managing and storing sensitive documents. As the information is sensitive we are trying to make it as secure as reasonably possible (requirement in UK law). We plan to encrypt the data on the database. It will be connected to via SSL encryption. Should we consider Hardware firewall, Private lan between the application server and database server?

    Read the article

< Previous Page | 66 67 68 69 70 71 72 73 74 75 76 77  | Next Page >