Protect a web site against hackers - security

I've suffering from hacker attack for one of my client website.
Each and ever time anonymous user adding unwanted code and hyperlink on my website home page(default.aspx).
Following code he added recently:
a href="http://www.ebk8.com/amdc/">symbolic code</a>
a href="http://www.ebk8.com/qxws/">symbolic code</a>
a href="http://www.ebk8.com/zqbf/">symbolic code</a>
a href="http://www.b2b110.com/bca/ ">symbolic code</a>
a href="http://www.b2b110.com/bcb/ ">symbolic code</a>
a href="http://www.b2b110.com/bcc/ ">symbolic code</a>
symbolic code=different-different chinese or japanese language code.
These hyperlinks he or she added bottom of my default.aspx page with symbolic code as hyperlink text.Due to above code web page getting compilation error.Every day I am removing these unwanted code from the webpage on webserver.
My web site is running Medium trusted on shared hosting web server.
It has following permission for following user:
Permission attributes
--Full control
--Modified
--Read & Execute
--List Folder Content
--Read
--Write
Groups or User Names
*Administrators
--All permissions check
*System
--All permissions check
*FTP accounts (ftp_subaccounts) [No permission for this user]
--Full control uncheck
--Modified uncheck
--Read & Execute uncheck
--List Folder Content uncheck
--Read uncheck
--Write uncheck
*Plesk IIS Anonymous Account (IUSR_sadgutn8)
--All permissions check
*Plesk IIS Worker Process Identity Account (IWPD_2677(sadgutn8))
--All permissions check
Plesk FTP subaccount (sadguru)
--Permission for "List Folder Contents" check
Plesk Domain user (sadgutn8)
--All permissions check
Earlier it has permission for Everyone (full control) but I've removed that; also I've change all C panel and FTP account password.But still hacker continuously attack.
Can anyone please suggest me how can I prevent my website from these attacks.

There are several ways to protect your site.
1- You should proper check your codes for open loops, like SQL connections or public js functions.
2- Use extra security checks for your URL, I suggest you to use CloudFlare.com:
A. Cloudflare’s Basic Security Level is based on IP reputations and will challenge IPs that have shown problematic activity online recently. The Basic Security Level is a free feature offered to all customers, but it is not as robust as using the Web Application Firewall at stopping sophisticated attackers (the Basic Security Level only throws up a challenge/captcha page, which is largely only going to help with automated hacking attempts).
B. Cloudflare’s Web Application Firewall (WAF) will stop many hack attempts on your site. The Web Application Firewall (WAF) is a paid feature on Cloudflare, and site owners can adjust the WAF security level settings and rule sets in the WAF management console.

Related

SSRS and UAC problem

I have using SSRS 2008r2 on Windows2003 server and added Domain Users group as a System Administrator via report manager. However, when I mimic an ordinary user in report manager web interface on my computer(member of the domain) I get;
User 'usera' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
if I try with user a on the server by using FQDN, it it shows same error above.
If I type localhost instead, it does work. while using localhost, it I navigate to a folder and while I am in a folder and change the localhost to FQDN, it still works.
There are lots of solutions on the web, like the one on http://skamie.wordpress.com/2010/06/24/ssrs-and-uac/, but it did not work..
Does anyone have any idea?
Many Thanks
Regards
Have you tried right-clicking on IE and select Run as Administrator?
I have to do that from time to time on my development machine so it is sort of first solution that came to mind. Hope it helps.
Additional answer:
So the Domain Users group has System Admin role. You can try adding that group as Browser role or Content Manager role at the root folder.

Force sharepoint to ask for authentication

Is there a way to force sharepoint 2010 to popup the dialog to ask the user for a username and password and not use the computers logged in user, if that user doesn't have access.
We need an internal sharepoint website to not use the windows credentials, since these are computers used by many people. The windows user doesn't have access to the site, so currently it shows an access denied, click here to log in as another user. We would prefer if it just asked for credentials in a more graceful manner.
There is a way to configure Internet Explorer to do this. In Internet Explorer(IE),
Go to Tools
Click Internet Options
Click on the Security tab
Click on the button labeled Custom Level.
Scroll to the very bottom of the list
Select the option labeled Prompt for user name and password.
The default option Automatic logon only in Intranet zone' is what is causing IE to send the credentials to SharePoint. This of course would force everyone to log in on that computer.
Forms Based Authentication is the answer. You can modify the Login page and even where the users credentials (username/password) are stored (e.g. a SQL database rather then AD).
Use browser other than IE to access the SharePoint site from the community computers.
I am guessing you work in a corporate environment, which would mean your computers are probably managed by your IT department and part of your domain. Because they are part of your company's AD (Active Directory), your systadmins Should be able to modify the existing policy (i say existing, because in IE, the defaults for the settings relating to logging on are by default set so that you WOULD have gotten a logon prompt, i am guessing a group policy is already in effect). If it does not exist, have your admins create one.
The setting Jeremy mentions is one option. It could also be that the site is in included in your IE's "Local Intranet Zone". If it is, or, more probable, there is a wildcard *.yourdomainname.yourdomainextension).
Use the setting mentioned by jeremy to override the default logon behavior (automatic logon) associated with sites listed in the intranet zone.
A group policy can be applied to a group of computers or all the computers in the domain. If the policy should be applied to a small group of computers only, put those computers in a separate OU (Organisation Unit) in AD and apply the policy to that OU.
What about creating a new zone, secured with FBA, for those community computers? As long as the users of the community computers are given only URL for the new zone, you should be OK.
You can create 2 registry files to turn this behavior on and off for the Internet Explorer. Use Notepad to paste the values below, ensure that Windows Registry Editor Version 5.00is the first line, and that you're appending 2 blank lines at the end of the file (press 2x Enter).
To turn it on (i.e. always ask for credentials): AlwaysAsk.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
To turn it off (automatically use credentials, only ask if necessary): AutomaticLogon.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
This is useful for testing, espcecially if you're a developer in a corporate environment where you can't easily change the policy settings on your PC (but you need elevated rights, i.e. you have to run it as Administrator).
Note that the 1st key is for the local machine, the 2nd key is for the current user (currently logged in), which is needed to activate it immediately.
If you need more details about the values, check out this link:
Internet Explorer security zones registry entries for advanced users

Why can't users in the "Visitors" group access my SharePoint 2010 publishing site. It works when i promote them to the "Members" group

When I place a test AD account in the Visitors group they are unable to view any pages on my new intranet site. The users receives the "Error access denied" sharepoint screen and indicates that the account was able to authenticate, but that some authorisation rule is permitting it from viewing the page.
When i remove then and place them in the Members or Owners groups they are able to view the pages as well as perform the expected functions like editing content and creating subsites.
Interesting, while in only the Visitors group, users can view the "All Site Content" page that is located here: /_layouts/viewlsts.aspx but not /pages/default.aspx.
Has anyone experienced this before?
Environment info:
1 Web application, 1 Site collection using the Publishing Portal template. A few custom master pages, lots of custom page layouts and user controls. All deployed via features.
Sharepoint 2010 Standard edition, 64bit running on Windows Server 2008 against SqlServer 2008 Enterprise Edition. Authentication is against AD, not any other forms auth providers etc.
One likely reason for such behavior is that it tries to access a resource on a page which might not have been published to a major version. For example, if versioning was turned on on images library and an image's version is 0.1, if that image was used on version 1.0 (published) of the page, the server would deny access to the visitor and ask for credentials.
Make sure following:
At least one major version of the page exists (page was published at least once)
All resources (images, movie files etc) used on the page are published (to major version)
You can use "Draft Check" button on Page Tab of the Page's ribbon to check the unpublished resources that are used by the page.
I had the same issue and I've finaly found out how to do this:
If you check OOB group access, you can find that Visitors group has limited number of pages where it has granted access.
Navigate to /yourweb/_catalogs/masterpage. Here you'll find many
.aspx files (including default.master).
Open this default.master`s permissions and you see it inherits from
Master Page Gallery.
Click this permissions inheritance and you can see that Master Page
Gallery permissions are not inherited from site collection
permissions.
Give here the Contribute permissions to Style Resource Readers (or
modify it as you'd like) and all users will have access to this web
with no permissions to edit etc..
I had a similar issue and the thing I noted in your Environmental comments was the custom master pages. Go to your Site Settings and ensure that your custom master pages have been published. If you need to publish them also check the corresponding html pages after they have been published as they may need to be republished also.
This worked for me.

iis: Integrated Windows authentication still pops up account info login

I have a website running on a Windows 2003 server on IIS 6, serving pages for a LAN where everybody is working with a domain account. On other machines this works fine, no-one has to login to the website, the dynamic scripts pick-up the account-name from the HTTP request.
Only, when browsing from the server itself (via remote desktop e.g.), Internet Explorer still pops up the domain-login-dialog when navigating to this site. (both the usual URL and http://localhost/). This was no problem on the Windows 2000 server we recently migrated the website from.
I had this problem or similar and solved it by:
adding http://localhost to list of Intranet sites, via IE > Tools > options > security > Local intranet > Sites > advanced > add http://localhost. (This is necessary if you have IE Enhanced Security installed which assigns all intranet Web sites and all UNC paths that are not explicitly listed in the Local intranet zone to the Internet zone, even localhost or other domains that don't contain '.' symbol which would normally be considered intranet by default.)
also on Security > Local Intranet > see what level of security you're on, to ensure that logon details are passed through. If it's Custom then click the Custom Level... button, scroll right to the bottom, under User Authentication > logon > for me it's 'Automatic logon only in Intranet zone', which works.
Did you configure IE on your Windows 2003 box for "Enable Integrated Windows Authentication"? This needs to be configured in IE6 to automatically use the logged-in user credentials.
You'll probably have better luck on ServerFault for this issue, as it's probably down to server configuration. Take a look at this KBAlertz.com article, yes it's specific to SharePoint, but some bits are more general. I suspect (given that you've said you've migrated to a new machine), that the issue is around the new machine not being "trusted for delegation" so look at the part titled "Configure trust for delegation for Web parts"
Configure trust for delegation for Web
parts To configure the IIS server to
be trusted for delegation, follow
these steps:
Start Active Directory Users and Computers.
In the left pane, click Computers.
In the right pane, right-click the name of the IIS server, and then
click Properties.
Click the General tab, click to select the Trust computer for
delegation check box, and then click
OK.
Quit Active Directory Users and Computers.
If the application pool identity is
configured to use a domain user
account, the user account must be
trusted for delegation before you can
use Kerberos authentication. To
configure the domain account to be
trusted for delegation, follow these
steps:
On the domain controller, start Active Directory Users and Computers.
In the left pane, click Users.
In the right pane, right-click the name of the user account, and then
click Properties.
Click the Account tab, under Account Options, click to select the
Account is trusted for delegation
check box, and then click OK.
Quit Active Directory Users and Computers.
If the application pool identity is a
domain user account, you must
configure an SPN for that account. To
configure a SPN for the domain user
account, follow these steps:
Download and install the Setspn.exe command-line tool. To do
so, visit the following Microsoft Web
site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en
(http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en)
Use the Setspn.exe tool to add an SPN for the domain account. To do
so, type the following line at the
command prompt, and then press ENTER,
where ServerName is the fully
qualified domain name (FQDN) of the
server, Domain is the name of the
domain, and UserName is the name of
the domain user account:
Setspn -A HTTP/ServerName Domain\UserName

sharepoint search is not working

I have an issue with SharePoint search.
The situation
The server is installed with
SharePoint on a farm with 2 servers.
A new app pool is created and that app pool is using a domain account called moss_service.
moss_service is set to be in the administrator group in both server.
moss_service is also set to be the db_creator in the content database.
When I checked it initially, the search's default content access account is using another different account, I changed that to be using moss_service account.
I didn't do IIS reset because this is a production server, they dont want frequent iis reset.
Strangely, checking the services.msc under "office sharepoint server search" the account is still using an old one. (and apparently it's only running on 1 server, the other server is not running) I then change that to the following:
domain\moss_service with the password.
and then I rerun the crawl.
How do I diagnose the issue
Basically everytime I change something I restart the crawl and then check the event viewer. Multiple things come out but the following is the major ones:
The start address cannot be
crawled. The password for the content
access account cannot be decrypted
because it was stored with different
credentials. Re-type the password for
the account used to crawl this
content. (0x80042406)
Performance monitoring cannot be
initialized for the gatherer object,
because the counters are not loaded or
the shared memory object cannot be
opened. This only affects availability
of the perfmon counters. Restart the
computer.
Access is denied. Check that the
Default Content Access Account has
access to this content, or add a crawl
rule to crawl this content.
(0x80041205)
Crawl Logs Result
The crawl log is showing this:
The password for the content access account cannot be decrypted because it was stored with different credentials. Re-type the password for the account used to crawl this content.
I tried changing it again at service.mstsc and the rerun the full crawl again but then it doesn't work. I have tried entering it using the following way:
moss_service#domain.local
and
domain\moss_service
My Questions are:
How do I fix this?
Is this the right way to setup the
search?
Does the search account has to be
using a different domain account?
Seemed like one fix complicates the
other, how do I set this right?
Is it worth it to upgrade to sp2?
Google this you will get answer " Access is denied. Check that the Default Content Access Account has access to this content, or add a crawl rule to crawl this content. "
Alex, I think you need to completely reconfigure the search services. Keep in mind that the search crawler should be an account with least privileges (not your application service account!). Also, the indexer only runs on one server and whether the search crawler runs on one or more machines is another configuration issue. Also, some settings changes (like changing the crawled File Types) even require the search engine to be restarted.
The start address cannot be crawled. The password for the content
access account cannot be decrypted because it was stored with
different credentials. Re-type the password for the account used to
crawl this content.
For this error,
Open the Sharepoint administration
Click on "Application Management"
Click on "Manage service applications"
Click on "Search Service Application"
Click on the current value for "Default content access account" and re-enter the user's password, or update to another admin user.

Resources