I'm currently configuring Windows Defender on Windows 10 setting up such that only restricted apps can be run.
In one of the allowed apps, I want to have Microsoft Teams be able to run under this environment.
I added the following exe files as allowed programs under "send rules".
AppData\Local\Microsoft\Teams\current\Teams.exe
AppData\Local\Microsoft\Teams\Update.exe
but so far no luck.
If anyone could guide me on how to configure it correctly, much appreciated.
You cannot refer directly to %appdata% generically across all users. A firewall rule needs to be created per instance of Teams i.e. per user.
You can use the Microsoft suggested sample PowerShell script to set up a firewall rule per existing user on a workstation. Available here: https://learn.microsoft.com/en-us/microsoftteams/get-clients#sample-powershell-script---inbound-firewall-rule
This doesn't help for the next user who logs into the workstation when there is no firewall rule preemptively created for them.
You will have to create a scheduled task to create a firewall rule ( or check for whether one exists already) on user logon.
Related
Azure allows partners to manage customer's resources.
But as startups serving enterprise customers, we might be asked to install our software on customer's Azure Linux server resource and manage it, but we dont want them to access the Linux box via shell or clone it entirely thereby making a copy without our knowledge. How do you solve this?
For the install, I'd write a bash script to install your application by wget'ing the binaries and setting some environment settings. If you want to take it a step further, your client can create an ARM template that spins up the VM and installs your app via custom script extension. When it comes to managing the application, you should be able to view log files in Azure using Application Insights and perform administrative functions using the app. If an issue arises that cannot be diagnosed from the log files and the built-in app diagnostics (e.g. the install failed, app cannot write to log files in local dir), I'd do a screen share with the client and troubleshoot.
You could create a web application that would talk to the OS and perform the administrative tasks you wish. This way, you only need to open one port (possiblity 443 - HTTPS) and share login credentials w/ your partner. This way your OS is protected -- administrative tasks can only be performed through a web UI.
By doing a quick Google search, you can find some open-source options:
http://ajenti.org/
http://www.webmin.com/
https://cockpit-project.org/
You need to ensure you create users for your customer with limited access. Get Webdmin as an example: https://doxfer.webmin.com/Webmin/Webmin_Users
A standard, out-of-the-box Webmin installation has only one user
(called root or admin) who can use every feature of every module. On a
home or office system used by just one person, that is all you need.
Even if your system has multiple users, there may be only one who
needed to perform system administration tasks.
However, there are many situations in which the administrator may want
to give some people access to a subset of Webmin's features. For
example, you may have a person in your organization whose job it is to
create and edit DNS zones and records. On a normal Unix system, this
person would have to be given root access so that he can edit the zone
files and re-start the DNS server when necessary. Unfortunately, once
someone is able to login as root he has full control of the system and
can do whatever he wants.
Webmin solves this kind of problem by allowing you to create
additional users who can login, but only access a few modules. You can
further restrict what the user can do within each module, so that he
cannot abuse its features to perform actions that he is not supposed
to. Because Webmin still runs with full root privileges even when used
by a restricted user, it still has access to all the configuration
files and commands that it needs.
I want to provide/restrict access to resources based on IP from my google cloud vm to prevent my dev team downloading/uploading the code to public drives.
Everything is working fine up to now.But I want to provide access to Visual studio online TFS with my outlook account.
I created visual studio online account for Version control.
URL: https://eschooltest.visualstudio.com
Region: Canada Central
I came to know vs online IPs are published every wednesday and downloaded from the below url and added these canada central Ips to Google Firewall system with allow access.
https://www.visualstudio.com/team-services/support/ip-addresses-used-hosted-build/
But still I am not able to access vs url.I pinged this url from command prompt and found the ip is 13.107.6.175 which is not present in the canada central IP list and also not present in the whole ip list of all regions.
Can someone help to achieve the requirement? OR please let me know if there is an elegant way of doing this.
if this is not possible with VS online, I am planning to set up TFS express in another VM to prevent leaking of my code to outside world though this is cumbersome.
EDIT:
1. Why this ip is not present in the Published xml?
VSTS does not offer any type of IP-based filter — so you can't do like in SQL Azure, in which you add and/or remove IPs that can access the service on Azure. About this area take a look at thie blog: Prevent users from accessing the VSTS out of the workplace
You should take a look at the official tutorial how to Manage conditional access to VSTS
Conditional access offers simple ways to help secure resources for
VSTS accounts backed by an Azure Active Directory (AAD) tenant.
Conditional access policies like multi-factor authentication can help
protect against the risk of compromised credentials and help keep your
organization's data safe. For example, in addition to requiring
credentials, you can have a policy that only devices connected to a
corporate network can gain access.
We're using Azure to maintain our development and QA servers.
One of the needs we have now, is to provide our QA members access to update web.config file on the server, which can be achieved via Visual Studio Server's Explorer (with the right configuration).
The problem is that you need a user with a subscription as a co-administrator within Azure (at least as far as I managed to understand), but obviously we'd like to allow our QA members only to maintain the files, with limited access via Visual Studio.
Is there any way to do it?
Following Brendan advice, I've granted the QA members FTP access. This should do the job for now, until Microsoft will come up with something better :)
Thanks Brendan!
How do I configure Azure Web Role to have United Kingdom (as opposed to US) as it's language/regional settings etc for all accounts? I believe I can RDP in and change it. However I want to set it to default on creation of the web role. It is making a difference to some classic ASP pages we have in a legacy app.
Interesting problem. Can't say I've attempted this before. What you want is to set a different locale at startup so that it is always enforced as VMs making up your Web Role may be rebooted from time to time.
Unless someone comes up with a better idea you could try to modify the registry from a Windows Azure Startup Task. You would need to know which user locale to modify and you would need a registry changing CmdLet like this one (though I haven't tried it): Set-RegistryKey.
Given you can figure out what registry value to modify and what user is running your IIS this could be done.
Use a Startup Task. Call a Cmd script and envoke a PowerShell script. Call the CmdLet and set the locale you want.
I realize this is not a complete solution, just a suggestion. Hopefully it is worth while.
I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.