I need to check when one of the server in my organization is added to security group, Means which date or if possible to check who added it ? is there is any power shell command from which I can check.
To get the information you need, you first need to make sure that you audit the changes in AD that you want. Try searching for "active directory audit security group" on google, or simply visit the first result: Auditing Group Membership Changes in Active Directory.
When you have enabled it, changes to accounts will be audited/logged in the Security log on the domain controllers. Now you can simply use PowerShell to search for it. Ex. if the group is a global security group, the eventid for added member is 632. So to search for group "FOO", use:
Get-EventLog -LogName Security -InstanceId 632 -Message "*FOO*"
This should (don't have a test-lab to verify with atm.) include who made the change, who was added to what group(FOO) and when it was done. The event will only show up on the domain controller that the request was sent to(!).
If you have multiple domain controllers(as you should), you should use Event Subscriptions to collect the events to a central server or your workstation. You could also use WMI-subscriptions to run a script whenever a new event like that occours. A simple search here on SO or google will show you how to do that.
EDIT If the person who downvoted me reads this later, could you please leave a comment with the reason. It's hard to improve when you never get feedback. The answer includes an explanation and a solution including the necessary PowerShell command, so I can't see what I did wrong.
Related
I am pretty sure my understanding is correct but since I cannot find any Google documentation that explicitly highlights this I wanted to ask here.
Per https://developers.google.com/apps-script/guides/triggers/installable:
Installable triggers always run under the account of the person who created them.
And we know that when you create a trigger it will ask to authorize for all the scopes the script uses.
Then, that means that anyone with edit access to the script could leverage the Google identity of the user used to create the trigger to access the scopes the trigger is authorized for.
For example:
User 1 creates a Google Apps Script that uses GmailApp to send an e-mail
(i.e. GmailApp.sendEmail("one#example.com", "test subject", "email body");)
User 1 creates a trigger to run said script every hour and authorizes it with the appropriate GmailApp scopes
User 1 gives User 2 edit access to said script
Now, User 2 can go into said script and make changes to the code and access User 1's Gmail account. For example, user 2 could change the code to:
var emails = GmailApp.search("search string to find sensitive emails")
// use GmailApp.sendEmail to forward those details to someone else like User 2
All they would have to do is make changes to the code and save; they wouldn't need to re-create the trigger since it already exists. And the next time the trigger runs it would run the newer/updated code.
I was able to confirm this behavior by creating a test script on one of my accounts and giving another account edit access.
So my question is, what is the official/recommended way to mitigate this risk? The obvious answer is to not give anyone else edit access but what if that is not an option -- what if for support purposes multiple people need to be able to access the script, then what?
As you say, the only official/recommend way is to limit editing access to trusted persons.
In your particular example, User 1 could have chosen MailApp instead of GmailApp. The two seemingly redundant services are available separately because MailApp has very limited privledges exposed compared to GmailApp. (For instance, User 2 cannot search the victims Gmail with the MailApp service.)
You can collaborate while avoiding giving direct access to your script file using clasp and git. Only you push with clasp to the script. Everyone else submits changes through git. You can setup the system to be fully automatic (i.e. a git push triggers a clasp push) or manual (i.e. you review all changes first), bit either way you have good records of who did what, when with git.
There's inherent trust when you provide edit access to the script project. You either trust the person or don't trust them. There's no inbetween.
Some "theoretical" ways you may still protect the data:
Create and use different Google accounts.
Install Triggers at the specific deployment/not at Head:
Possible only if done manually. Installable triggers created programmatically can only be used at Head
When you deploy a web-app/api, You can deploy it a specific version.
This deployment version can then be provided, When you create a new trigger for a project here.
There is no need for a working web-app/api. We're only looking to get a deployment id.
In this way, even if user changes the script, your trigger will only run at the old version deployed.
Deployed versions can be seen at Publish> Deploy from manifest.
As the previous answer states, git would be a better call.
For all practical purposes, any data you share with a malicious entity should be considered compromised.
Is it possible with Google Apps Script to either
A. Have a custom menu show up only for specific users?
or
B. Only allow specific users to click on a menu item.
I'd like to use the get active user command and try to bounce that off of a specific cell in another Google sheet in which our secretary maintains of about 5 administrators. Pull the email address from the sheet make it a variable called principal or directorOfTechnology etc. and have some kind of if statement so that either a menu only shows up for that person or an if statement so that if they are the correct person it does what I have and if not they get a message or something saying You are not able to click on this button etc.
If this is possible how would I go about writing this code? I am still in the learning stages and am not sure how to get this started and if this is even possible.
Doing this in the way you describe runs up against the fact that onOpen() runs in 'limited' authMode: you won't be able to read from the spreadsheet until the auth cycle is complete & your script gets to full authMode. (documentation)
Here are 2 possible work-arounds:
You can specify a list of authorised accounts in your script & check against them. This makes it difficult for a third party to manage the ACL as they have to modify the script directly.
You can deploy the script as a Sheets add-on & make it accessible only to members of a Google Group. e.g. You can then devolve management of the access group to a third party.
before write the question sorry for my english. My question is this:
I have an web application in jsf, the application have new, edit and delete Categories, outgoings, Budgets, users, etc.
When open the edit page i have the url like this:
http://localhost:8080/Practica3/faces/usuarios/edit.xhtml?id=2
the problem is if the user change the number 2 for another number, and the another number exists in the dababase, the page change the data of the id 2 to the data of the new id.
The problem is if the id number X is of a data of another user, and the user that change the id is not in conditions to see that data.
How disable the edit of the id, or denied to show the data to the another user?
Thanks, and i hope have a response.
Just check in service layer if the current user is allowed to edit the requested entity. If not, then throw some security exception for which you could if necessary configure a custom error page in web.xml.
The technical problem has nothing to do with HTTP/JSF. If you "fix" it alone in JSF side, then you still have a gaping security hole in service layer which would affect any other frontend using it. The frontend is not responsible for business restrictions in service layer itself.
The problem is not stopping the editing of the ID. That is on the client side/browser and you cannot stop this value from being edited.
You need to implement propery Access Security Controls. When you get any response back, you need to check if the user can perform the action they specified (read, update, delete, etc.) as well as checking to make sure they have permission to the data they want to perform the action on.
These two topics are on the OWASP Top 10:
A4-Insecure Direct Object References
A7-Missing Function Level Access Control
The pages will tell you what the problem is, mitigation stragegies, and different ways of testing for that in your application.
I would also become familiar with the other Top 10 categories (this is not an all inclusive list but a good starting point).
Dynamics CRM 2011 on premise.
I have a plugin that adds some buttons to the ribbon on the case/incident form.
Different users have different security permissions.
The buttons are enabled for all users.
When some users press the buttons they perform the expected operations.
When other users press the buttons they do not seem to do anything.
Other than permissions, I think everything else is the same for the users.
How can I find which permission(s) are causing the problem?
(Also, shouldn't CRM say something if permissions are blocking a user from doing something? We don't get an error.)
The Xrm Tool Box has an access checker that would help in this situation.
The way security works in CRM when querying data is that you do get an exception if the user attempts to perform a select on an entity that they have no read rights at all for. But, if the use has rights to view only records that they own, they'll get an empty result set if they attempt to query records they don't own. I'm guessing that's what's going on here, is that they're attempting to query data that the have read rights for, but not at the Organization level, or whatever the exact level that they need.
From Suumit Bhatanagar at https://community.dynamics.com/crm/f/117/p/113149/228873.aspx
You may collect verbose level of traces , would direct you in the right direction. Simply reproducing the issue by clicking on the button and then stop the traces.
For traces , you may look into : http://support.microsoft.com/kb/907490
From DavidJennaway at http://social.microsoft.com/Forums/en-US/55c22571-0187-4a64-9cc1-94954fa8bdf7/how-to-find-which-security-permission-is-preventing-a-user-from-doing-something
Enable tracing and the trace log will indicate the privilegeid and systemuserid - you can then lookup the privilegeid in the privilege entity.
Be aware that the trace log will record all instances where a user doesn't have permission - this includes the scenario where CRM checks if a user has any permission on an entity to decide if the entity should be shown in the UI
From Roshan Mehta at http://social.microsoft.com/Forums/en-US/55c22571-0187-4a64-9cc1-94954fa8bdf7/how-to-find-which-security-permission-is-preventing-a-user-from-doing-something
Check the Event Viewer. This usually gives sufficient information about missing privileges when a plugin fails to run under user context.
Alternatively, you can run the plugin under SYSTEM context in which case this error will not occur. To do this, pass a null value into the CreateOrganizationService method when instantiating service objects in your plugin.
From Imran I Abbasi at http://social.microsoft.com/Forums/en-US/55c22571-0187-4a64-9cc1-94954fa8bdf7/how-to-find-which-security-permission-is-preventing-a-user-from-doing-something
David is right, there isn't any easier way to get to the root of your issue. Enable tracing and then use privilegeId (a GUID) from tracing file against Privilege entity in database to get details of missing privilege. To simplify your quest, you can use TraceLogViewer to filter your log file and get only the errors. Here is the link: Trace Log Viewer
And here are the steps to enable tracing in crm 2011
here are the steps
1- -> Start -> run -> regedit.exe
2- HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > MSCRM
3- Add new keys
TraceEnabled
TraceRefresh
DWORD, value = 1
Hello I'm developing a web app where the user needs to verify that they are the "Owner" of the website. I know there is code verification but how would I check if that verification is on their site without over complicating the verification method?
Also, I'm thinking about giving the site owner an hour to verify, how would I automatically detect if the hour is over and be able to delete them from the database?
The way Google or Yahoo do this is to require the webmaster to create a file with a special cryptic name (the file length can be 0), which is generated by Google/Yahoo. Could be something like "dsaa6fd4sgfdsf324gd.html". So you generate such a unique (name) string for each websit eto be verified, store it in the DB, and then you go and try to GET it from that site. If the GET succeeds you can set "verified=true" in the DB for that site and file name.
To answer the 1hr question we'd have to know what technology you are using. There are many options to run timed background jobs from a web application. Usually you write the job details into the database, and have a background daemon check the DB periodically and execute any pending jobs. You could tell it (that daemon) to execute a job one hour later to see if the file (see above) exists. Well, you have to do it that way in any case, it's no use simultaneously telling the webmaster to create that file and check for it right away :)