I have a Windows Service that requires the ability to query AD, as well as open a TCP port.
Previously, I had it running as my own personal domain account that was setup as a local administrator on the server. Later, IT required that it run as it's own account (makes sense), and we tried to duplicate the account setup.
When reconfiguring the service to run as the newly created account, it fails to start. No exceptions thrown, no errors in the logs, nothing. It just refuses to start.
What is the best way to debug this? We're trying to reproduce the issue locally where we can do real-time debugging now.
Any specific requirements or permissions that account needs on the server?
Answer to this question I think is already here on SO.
However, here is some wise advice from Microsoft:
Run the service in a specific security
context. To help secure your system
from attacks, run the service with
minimal user rights. If you require
more user rights than those that are
granted to the minimal user accounts,
do not run the service as a user with
administrative credentials.
Also, do not change the security
policy to elevate the user rights of
the built-in logons (SYSTEM, Anonymous
Logon, Local Service, and Network
Service). Instead, create a custom
account, and then grant the account
the user rights that your service may
require. If you require network
credentials, use a domain account. If
you do not require network
credentials, use a local account. You
may spend more time creating a custom
account with limited user rights, but
this is more secure than if you either
run the service with too many user
rights or when you add user rights to
an account that is included with the
operating system.
Related
At work we have developed an individual customer specific software application that is in use for a long time. We have a new requirement in this same program to implement an option for sending emails directly from the program.
The user is able to add his own email account with the credentials and login through our program. For Microsoft and Gmail accounts OAUTH is implemented and something here is not very clear.
For Gmail-API we have made an OAUTH Client and Consent screen on Google Cloud Console which we need to publish and verify and here is where the problems start. I am not very clear with the whole process of verifying the app.
In the steps for verifying is stated that we should verify a domain for the app, but this software is not hosted anywhere on internet and is not publicly available, it is available to a number of specific users (2000-3000).
Also Google requires a YouTube video of the software to be available publicly, which we are not able to upload because of customer requirements. Also here is required a Data Protection Policy page for the application which we as a developers don't have because we are only developing the software.
Other thing that is not clear to me, how is this type of software rated by Google, internal or public?
Have anyone experience with this or something similar?
Verifying an app for one of the Gmail scopes is a very complicated process. This process depends upon which scope of authorization you are requesting of the users.
In your case you are trying to send an email so you are using the users.messages.send method from the Gmail api. This uses a restricted scope. Which means you will need to go though the full process.
First of it doesn't matter if your application is hosted or not. It also doesn't matter that you give this app to a limited number of users. What matters is the scopes you are using.
You will need to ensure that your domain has been registered via google search console. So this app will need a domain
Once that is done you will be able to host your website, and the privacy policy on that domain.
You will need to create a YouTube video showing your application running, and how authorization is used.
You will also need to submit to a third party security checkup of your application which is not free and will need to be done once a year.
All of this is needed because of your consent screen it doesn't matter if its hosted any where, It also doesn't matter if this is only available to specific number of users.
If all of the users are part of a single google workspace account, that has created your client id and client secrete then you can set the app to internal and you wont need to be verified. This only works for google workspace domain accounts.
I have a specific SharePoint site that I have been asked to integrate my web based application with in a read-only fashion using my backend server.
I currently have an app with Default Directory only (Single tenant) access
which I am modifying Application API permissions to also require Sites.Selected, however this one is requiring that I obtain Admin consent
I have had an absolute atrocious time trying to figure out how to obtain access to my specific site and not grant access to every single site in my tenant
I'm working on a dummy azure account prior to asking my ops team for the real permissions from the real ecosystem, but I dont have a sharepoint site to test on because I dont know how to set it up, the IT department team who manages it is very slow to answer so its difficult to move the ball forward without knowing exactly what I need before asking.
Under "Enterprise Applications" > {My Application Name } > Permissions (left sidebar), i see a big blue button that I read about in some docs, but i'm scared to grant the permissions because it says I give my app access to the default directory which I don't want to do, and it provides nowhere for me to specify my "selected" site
does anyone have more information on how I can grant a specific site to my app?
every article I run to talks about admin confirmation but neglects to tell me specifically how it's done
Default Directory is just a default name for your tenant, and not related to any default collection of sites. See my tenant name v6pz1 in the image
For this Sites.Selected permission, it's a 2-step process for giving your app access to the sites.
The app needs to be given permission to the site at the SharePoint level
The app needs to be granted admin consent to access the sites through the Graph API
You see this described in the MS Graph permissions reference table as well.
Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online.
To actually grant your app the SharePoint permission to a site, you can use the MS Graph endpoint to create permissions
I have a windows service that imports support emails into a CRM from 4 different email accounts. I am currently using IMAP, but would like to move to Microsoft Graph.
After much investigating I am only seeing two options to make this happen:
Using a delegated permission: Implement a user interface to authenticate to the email accounts via OAuth (won't work for a daemon process)
Using an application permission: Get permission from my email admin to access ALL email messages in the company so I can process email from these four accounts (It will be a cold day in Hades when I get this kind of permission on a corporate level)
So, from what I can see, I am stuck. Can anyone recommend another option, or do I go back to IMAP?
With 2 you could scope the permissions so your application only has access to those four mailboxes in question https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access. For the corporate this would be the most secure option eg no user account/password or licence and you app is just restricted to email on those four account.
So, from what I can see, I am stuck. Can anyone recommend another option, or do I go back to IMAP?
In security terms even option 1 is generally going to be better the IMAP (especially using basic auth) and you can use it in a daemon if you use the ROPC grant https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc which is going to be the same as what you doing with IMAP.
I have my .Net apps hosted in Azure Web Apps. Is there any way that I can stream/view the application/server log traces directly using without signing into the portal.
The reason why I need this is because, My contains the fellow developers who will not be having access to the Azure portal.
Please help if any solution for this. Thanks in Advance.
I have tried enabling the log streaming inside the Azure portal.But that doesn't meet my requirement.
Also tried storing the logs to the Azure storage account. But cannot find any opensource tools to fetch and read the logs. And feels this as a time consuming solution.
Mohit's recommendations are great and probably the best advice, however:
I have a suggestion which does not fulfil the requirement of not having a role in Azure, but may offer such an advantage that it could be worth it. Using the Azure CLI you can stream out the logs:
az webapp log tail --name appname --resource-group myResourceGroup
https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#streamlogs
You may be able to setup a role with sufficient constraints that all the developer can do is read the diagnostic logs:
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/roles-permissions-security
Also if you are not familiar with it, I'd suggest looking at Azure Application Insights, it does not have the super low level logs, but likely sufficient for diagnosing issues that a developer would typically run into. And has many advanced features that make it far easier to diagnose things than looking at log files.
https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview
Simplest way to achieve that is to use storage account and container for application and diagnostic logging.
To enable diagnostics for your Azure web app, you can do the following:
Log in to your account at https://portal.azure.com/.
Go to your Azure Web App and select Settings > Diagnostics logs.
For Application Logging (Blob), click On and set the parameters.
Set the Level for the logging.
For Storage Settings, click > and select the Storage Account and Container.
This is the Storage Account and Container that Azure will use to store logs for the Web App. Make note of this information because you will need it to set up a log collection job in USM Anywhere. You can click + Storage Account to create a new storage account or container, or select an existing one.
For Web server logging, select Storage.
Click Storage Settings and select the same storage account and container that you set for the application logging.
Once done then you can share the Azure storage container using SAS shared access signature.
SAS will having a URI which will have the predefined access on the container, By this way you will be able to see logs without accessing Azure portal.
A shared access signature (SAS) is a URI that allows you to specify the time span and permissions allowed for access to a storage resource such as a blob or container. The time span and permissions can be derived from a stored access policy or specified in the URI. We’ll cover both of these in detail later.
You can refer below docs for reference.
https://blogs.msdn.microsoft.com/jpsanders/2017/10/12/easily-create-a-sas-to-download-a-file-from-azure-storage-using-azure-storage-explorer/
https://www.red-gate.com/simple-talk/cloud/platform-as-a-service/azure-blob-storage-part-9-shared-access-signatures/
https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/azure/azure-enable-diagnostics.htm
Hope it helps.
I’m working on an app that will be deployed to a fleet of corporate Windows laptops that are bound to Active Directory. Part of the app would need to allow the user to access the company's intranet URL. Would it be at all to automatically authenticate that user for their intranet without forcing another login? They've already logged into their AD account when logging into the laptop so I want to avoid it if possible. I've searched and haven't been able to find any information that covers this case.
Depending on your security strictness, the username package could be a good fit for you.