Network Service Permissions for root directory Azure - azure

I want to give the network service account modify permission (root project directory) on start of my Azure webrole, anyone know of a way of doing this? After modification, I would reset this value to keep things secure. Primary purpose is I need to modify the webconfig to change wcf addresses based upon staging/production environment differences, on multiple nodes.
I have tested the routine and it will properly run once permissions are given to the network service account. I wouldn't mind if it was a first-launch modification, but unfortunately directory permissions change upon deployment of a new version, as it swaps VHD's on which the sites reside...
Any help would be awesome...
Thanks!

If you objective is to update web.config to add/modify setting related to your Azure environment, you can do that using Web Administration module by adding proper code to Role Startup() routine. I believe this way you will have an easier and clean solution.
The process is defined in this blog and there may be others who may have much better ways to do it.

Related

GitLab: Give someone only access to the Container Registry?

I want to give a frontend developer rights only to pull/read from the GitLab container registry. In order to test some things in the frontend he needs also the backend container.
But I dont want to give access to the full gitlab project, so that he can clone the whole repo. I only want to give him access to pull the container from the registry (because how I understand it, he wont have the possibility to access the code then).
Is this even possible with GitLab? Seems like Container Registry access needs whole project access?
If this is not possible with GitLab it should somehow be possible with AWS Registry instead or? (Any suggestions for this usecase I would be very thankfull for.)
While GitLab's user permission scheme lacks some granularity, you might be able to workaround this limitation.
One would be to make the project publicly/internally accessible through its visibility settings. Users only need read ability in order to access the container registry. Obviously, this may not be acceptable if your images are intended to be more private/secret.
One other possible mechanism for granting access to container registry might be to create a project access token with just read_registry scope and distribute that token to your users that need to read the image registry for the project.
The same could be done with group access tokens, too. This may be useful to reduce management overhead if you have many projects with this need.

What is the right way for working with Azure AD when supporting multiple environments?

I am a Solution Architect responsible for setting up a project's infrastructure on Azure. The project should be running in multiple environments (dev, staging, prod). As far as I learned the best practice regarding environment separation in Azure is to use Resource Groups. That's what I did.
However, this is where things start getting tricky. Our application will use Azure AD as OAuth Authorization Server. I want to have my AD isolated, like everything else in my infrastructure. I don't want to accidentally modify a production user from the dev environment and for the dev environment, I want to be able to create a ton of test users which I don't want to see in production. So, isolation.
The problem is I don't see any option on how to do this. My first instinct was to create multiple ADs. But when I do that, they actually need to create a completely new tenant for each of these environments. This seems really messy to me. Have to support as many (almost empty) tenants as I want to have environments.
Please, what is the right way how to do this?
Does Azure AD have some kind of support for isolation I require?
Am I missing something?
Note: this question was also asked in MS Q&A.
You're correct that a tenant is equivalent to a directory and a user is either in the directory or it's not. However, using RBAC, you can restrict the permissions on users so that they can't access particular services. It would be good if you separated permissions by subscription which is what a lot of major companies do and that's how they know which workload a subscription handles.

How do I configure the locale and language of Azure Web Role?

How do I configure Azure Web Role to have United Kingdom (as opposed to US) as it's language/regional settings etc for all accounts? I believe I can RDP in and change it. However I want to set it to default on creation of the web role. It is making a difference to some classic ASP pages we have in a legacy app.
Interesting problem. Can't say I've attempted this before. What you want is to set a different locale at startup so that it is always enforced as VMs making up your Web Role may be rebooted from time to time.
Unless someone comes up with a better idea you could try to modify the registry from a Windows Azure Startup Task. You would need to know which user locale to modify and you would need a registry changing CmdLet like this one (though I haven't tried it): Set-RegistryKey.
Given you can figure out what registry value to modify and what user is running your IIS this could be done.
Use a Startup Task. Call a Cmd script and envoke a PowerShell script. Call the CmdLet and set the locale you want.
I realize this is not a complete solution, just a suggestion. Hopefully it is worth while.

How to give Website permission to create further Websites in IIS 7.5?

I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.

What permissions does Network Service require on Vista / IIS7?

Doing some more tinkering with development on VS2008/Vista/IIS7, I'm wondering at a few things regarding the Network Service account. It had no issues running my website until I attempted to set up the Sql Role Membership Provider, which creates a local database in the App_Data folder. Somewhere in there, Network Service ran out of the permissions needed to auhenticate my client.
I solved the problem by changing the app pool to run under my admin account (and later by granting Network Service admin permissions for now), but I'm curious as to what permissions Network Service is missing as I'd ultimately like to keep it (and my sites) out of the admin group. Any ideas?
Also, where's a good place to go debug this stuff? EventLogs have nothing useful, so I'm not sure where else would be a good place to find out when an account tries to do something and is denied. Maybe I just don't have the logs configured properly?
Thanks!
Oddly enough, it looks like gving Network Service write access to the folder containing the mdb file wasn't enough. It apparently wants read access to everything under the "Documents\Visual Studio 2008 directory" as well (the site is hosted from within that directory). Seems ok now. Thanks ProcessMonitor!

Resources