ISA550 Deny access to management login on some vlans/ports
Hi,
I tried to create a firewall ACL rule that would deny access to http/https on the router for some vlans/ports, but it seems like the rule is just ignored.
Also; I can ping all interfaces on the router even between to vlans that are using a same level zone. Even connect to the management login from a different access vlan port.
The main issue is that I don't really like to expose a webserver on a securitydevice to everyone on the LAN side. And I would also like to isolate all vlans and create exceptions if I need to.
Anyone know if this is possible?
Hi Prithvi Manduva,
Thank you for replying!
I have tried to set up two simple rules to illustrate my problem. My configuration is this:
VLAN 1: DEFAULT in zone OFFICE
VLAN 2: CONFIG in zine CONFIG
With Vlan 1 and 2 assigned to port 2 and port 3 in access mode-
DHCP is enabled on both vlans with subnets of 192.168.5.0/24 for OFFICE and 192.168.10.0/24 for CONFIG
CONFIG_IP is 192.168.10.1
DEFAULT_IP is 192.168.5.1
Using these two rules:
# FromZone ToZone Service SourceIP DestinationIP Action
1 CONFIG Any HTTP Any CONFIG_IP Permit
2 Any Any HTTP Any DEFAULT_IP Deny
I would think that this would allow the CONFIG zone to access port 80 on config IP, and also deny all other zones to access port 80 on the default gateway for Office (DEFAULT_IP)
I also tried to create a simple Deny ICMP Echo Request to the DEFAULT_IP, but it looks like it's just ignored.
In short, it looks like I can't deny anything to any of the IP addresses of the interfaces on the router.
Similar Messages
-
Need to deny access to file manager for the user
Hi
I need to be able to deny access to the file manager, as I dont want my client deleting files. however, for some reason I have to allow him access to this as he needs to be able to upload files through InContext Editor (he needs to link pages to documents that are not on the server so he needs to upload them and to do this, I have to grant him access to file manager). How can I get around this? I dont want to have to reupload his site every time he deletes a file....Unfortunately it can't be done - access to the file manager allows deleting as well as uploading and at this point that cannot be changed.
-
Error: unable to checkin Access denied by records manager
Hi,
Whenever i am checking in a document applying acl, its giving me error as "unable to checkin Access denied by records manager". Without applying acl its checkin successfully.
For acl i have used these config variables.
SpecialAuthGroups=Securitygroup
AccessListPrivilegesGrantedWhenEmpty=true
I have to use acl. Why i am getting this error?
Thanks in advanceNot able to checkin again.
Below is the stacktrace:
Event generated by user 'test' at host 'xxxx'. Access denied by records manager [ Details ]
An error has occurred. The stack trace below shows more information.
!csUserEventMessage,test,xxxx!$!$Access denied by records manager
intradoc.common.ServiceException: Access denied by records manager
*ScriptStack CHECKIN_NEW
3:checkSecurity,dDocName=
at intradoc.server.Service.checkExtendedSecurityModelDocAccess(Service.java:3002)
at intradoc.server.Service.checkSecurity(Service.java:2898)
at intradoc.server.Service.checkSecurity(Service.java:2882)
at sun.reflect.GeneratedMethodAccessor200.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at intradoc.common.IdcMethodHolder.invokeMethod(IdcMethodHolder.java:86)
at intradoc.common.ClassHelperUtils.executeMethodEx(ClassHelperUtils.java:310)
at intradoc.common.ClassHelperUtils.executeMethod(ClassHelperUtils.java:295)
at intradoc.server.Service.doCodeEx(Service.java:620)
at webdavcomponent.WebdavHandler.checkSecurity(WebdavHandler.java:686)
at sun.reflect.GeneratedMethodAccessor198.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at intradoc.common.IdcMethodHolder.invokeMethod(IdcMethodHolder.java:86)
at intradoc.common.ClassHelperUtils.executeMethodReportStatus(ClassHelperUtils.java:324)
at intradoc.server.ServiceHandler.executeAction(ServiceHandler.java:79)
at intradoc.server.Service.doCodeEx(Service.java:603)
at collections.CollectionUserHandler.checkSecurity(CollectionUserHandler.java:1429)
at sun.reflect.GeneratedMethodAccessor197.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at intradoc.common.IdcMethodHolder.invokeMethod(IdcMethodHolder.java:86)
at intradoc.common.ClassHelperUtils.executeMethodReportStatus(ClassHelperUtils.java:324)
at intradoc.server.ServiceHandler.executeAction(ServiceHandler.java:79)
at intradoc.server.Service.doCodeEx(Service.java:603)
at intradoc.server.Service.doCode(Service.java:575)
at intradoc.server.ServiceRequestImplementor.doAction(ServiceRequestImplementor.java:1643)
at intradoc.server.Service.doAction(Service.java:547)
at intradoc.server.ServiceRequestImplementor.doActions(ServiceRequestImplementor.java:1458)
at intradoc.server.Service.doActions(Service.java:542)
at intradoc.server.ServiceRequestImplementor.executeActions(ServiceRequestImplementor.java:1391)
at intradoc.server.Service.executeActions(Service.java:528)
at intradoc.server.ServiceRequestImplementor.doRequest(ServiceRequestImplementor.java:737)
at intradoc.server.Service.doRequest(Service.java:1956)
at intradoc.server.ServiceManager.processCommand(ServiceManager.java:437)
at intradoc.server.IdcServerThread.processRequest(IdcServerThread.java:265)
at intradoc.idcwls.IdcServletRequestUtils.doRequest(IdcServletRequestUtils.java:1354)
at intradoc.idcwls.IdcServletRequestUtils.processFilterEvent(IdcServletRequestUtils.java:1731)
at intradoc.idcwls.IdcIntegrateWrapper.processFilterEvent(IdcIntegrateWrapper.java:222)
at sun.reflect.GeneratedMethodAccessor153.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at idcservlet.common.IdcMethodHolder.invokeMethod(IdcMethodHolder.java:87)
at idcservlet.common.ClassHelperUtils.executeMethodEx(ClassHelperUtils.java:305)
at idcservlet.common.ClassHelperUtils.executeMethodWithArgs(ClassHelperUtils.java:278)
at idcservlet.ServletUtils.executeContentServerIntegrateMethodOnConfig(ServletUtils.java:1704)
at idcservlet.IdcFilter.doFilter(IdcFilter.java:457)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Provide inputs
Thanks in advance -
I can't access "Device Manager" "MMC" "CMD run as administrator" and some .exe files
<p><img alt="" src="https://social.technet.microsoft.com/Forums/getfile/560661" /></p>
<p><img alt="" src="https://social.technet.microsoft.com/Forums/getfile/560666" /></p>
I need help! I am in hurry.Hi,
Sorry for my delay.
Based on your description, I’m a little confused with your issue. Would you please let me know more details
of this issue? Thanks for your understanding.
Would you please let me know OS edition information of this problematic server? Did you logon the server via
an administrator account? Meanwhile, would you please let me know the complete error message when access Device Manager, MMC or other .exe files?
For CMD, please open Task Manager, click File and select
Run new task. Then type CMD and select Create this task with administrative privileges option in
Create new task wizard. Will you still encounter issue?
By the way, I type above links which you provided in IE. However, I can only find
Page Not Found error. You can upload screenshots to
OneDrive and then post link here. (Please hide all protected or private information)
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
Mangement Tasks access denied from Device manager
I don't anderstand why i can't access to Management tasks functions from device center to a device and not to an other. It happens since a device package update. It seems i have not all permissions to access the device from "Device center". Remark : the only solution to have these functions is delete and re-add the device.
I'am using admim account.
Thx for suggestions.Hi,
LMS 3.2 Solaris 10
There are 3 functions available with device center : Tools / Reports /Mngt Tasks.
I select a random device => i have just Tools and Reports functions. I remove and re-add this device from DCR, there are the 3 functions.
Same thing for 2000 devices. Never had this problem before the package update. Thx -
Keep 443 open for profile updates, but limit profile manager login
I notice that port 443 is used by clients to communicate with the server when profiles are pushed (I assume as an encrypted connection for transmitting the profile file). Therefore it seems that for profiles to be pushed to devices outside the LAN 443 needs to be available when clients come calling to the FQDN to get a new profile (when Apple's push notification service says 'hey something is waiting for you').
However, from a security standpoint I'm not thrilled about exposing the profile manager login to the page to the whole world. Is there a way to limit access to this page to say just our LAN (e.g., using .htaccess) and still allow clients to come calling to the server from anywhere on 443 to fetch profiles? How have others handled this scenario?
Thanks!...minor updates (see below) after some additional testing. Added /auth as this is another mechanism for authenticating against the admin panel. Also Added an additional allow for loopback traffic since logs showed some items being blocked on : : 1
<Location /profilemanager>
AllowOverride None
Options MultiViews FollowSymlinks
Order deny,allow
Deny from all
Allow from 10.0.0.0/8 #OUR LAN
Allow from XXX.XXX.XXX.XXX #SERVER'S PUBLIC IP
Allow from 127.0.0.0/255.0.0.0 ::1/128 #FOR INTERNAL LOOPBACK TRAFFIC
Header Set Cache-Control no-cache
</Location>
<Location /mydevices>
AllowOverride None
Options MultiViews FollowSymlinks
Order deny,allow
Deny from all
Allow from 10.0.0.0/8 #OUR LAN
Allow from XXX.XXX.XXX.XXX #SERVER'S PUBLIC IP
Allow from 127.0.0.0/255.0.0.0 ::1/128 #FOR INTERNAL LOOPBACK TRAFFIC
Header Set Cache-Control no-cache
</Location>
<Location /auth>
AllowOverride None
Options MultiViews FollowSymlinks
Order deny,allow
Deny from all
Allow from 10.0.0.0/8 #OUR LAN
Allow from XXX.XXX.XXX.XXX #SERVER'S PUBLIC IP
Allow from 127.0.0.0/255.0.0.0 ::1/128 #FOR INTERNAL LOOPBACK TRAFFIC
Header Set Cache-Control no-cache
</Location> -
Apache user dir (13)Permission denied: access to /~simha/ denied
I am getting Access forbidden! when I am trying to connect to http://localhost/~simha/ where simha is my user name
my /var/log/httpd/error_log says
[Thu Jul 08 17:44:30 2010] [error] [client 127.0.0.1] (13)Permission denied: access to /~simha/ denied
I tried a lot and gave up. Can any one help me in this in regard
The following are the permisions of my home dir simha and public_html
drwx--x--x 130 simha users 16384 Jul 8 17:04 simha
drwxr-xr-x 2 simha users 4096 Jul 8 17:02 public_html
The following are my httpd.conf
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/httpd/foo_log"
# with ServerRoot set to "/etc/httpd" will be interpreted by the
# server as "/etc/httpd//var/log/httpd/foo_log".
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk. If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
ServerRoot "/etc/httpd"
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#Listen 12.34.56.78:80
Listen 80
# Dynamic Shared Object (DSO) Support
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
# Example:
# LoadModule foo_module modules/mod_foo.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule cache_module modules/mod_cache.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule dumpio_module modules/mod_dumpio.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule log_forensic_module modules/mod_log_forensic.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule ident_module modules/mod_ident.so
LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php5_module modules/libphp5.so
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User http
Group http
</IfModule>
</IfModule>
# 'Main' server configuration
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. [email protected]
ServerAdmin [email protected]
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
# If your host doesn't have a registered DNS name, enter its IP address here.
#ServerName www.example.com:80
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "/srv/http"
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
# First, we configure the "default" to be a very restrictive set of
# features.
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
# This should be changed to whatever you set DocumentRoot to.
<Directory "/srv/http">
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
Options Indexes FollowSymLinks includes
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
AllowOverride None
# Controls who can get stuff from this server.
Order allow,deny
Allow from all
</Directory>
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog "/var/log/httpd/error_log"
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
<IfModule log_config_module>
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
CustomLog "/var/log/httpd/access_log" common
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#CustomLog "/var/log/httpd/access_log" combined
</IfModule>
<IfModule alias_module>
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/"
</IfModule>
<IfModule cgid_module>
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#Scriptsock /var/run/httpd/cgisock
</IfModule>
# "/srv/http/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
<Directory "/srv/http/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
# DefaultType: the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
DefaultType text/plain
<IfModule mime_module>
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
TypesConfig conf/mime.types
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#AddType application/x-gzip .tgz
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
# Filters allow you to process content before it is sent to the client.
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
</IfModule>
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#MIMEMagicFile conf/magic
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall is used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
#EnableMMAP off
#EnableSendfile off
# Supplemental configuration
# The configuration files in the conf/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
# Multi-language error messages
Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
Include conf/extra/httpd-autoindex.conf
# Language settings
Include conf/extra/httpd-languages.conf
# User home directories
Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
# phpMyAdmin configuration
Include conf/extra/httpd-phpmyadmin.conf
# Various default settings
Include conf/extra/httpd-default.conf
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
Include conf/extra/php5_module.conf
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
The following are my /etc/httpd/conf/extra/httpd-userdir.conf
# Settings for user home directories
# Required module: mod_userdir
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received. Note that you must also set
# the default access control for these directories, as in the example below.
UserDir public_html
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
I also tried adding user to the group http. BUt nothing is working.Do you have [or more like lack] +x on the user folder?
-
Unable to access Skype Manager
I've been unable to access Skype Manager for 8 days now. My account works fine to log in regularly via the skyep app (to make calls, chat, etc), and I can even login to the skype site to change settings for that account. I just can't get into the Skype Manager. When I do, I see an error message (screenshot below) either after I'm prompted for my login credentials, or immediately upon clicking the Skype Manager link if I'm already logged in.
When I chat or email Skype support, they either claim that it's working fine, or they say that a "specialized department" (they always refuse to name the department when I ask) will take care of it and email me. The email invariably arrive a couple of days later telling me that everything is working fine, and if for some reason it's still not working, I should contact Skype chat support.
I tried reaching out to Claudius at @SkypeSupport via twitter and all I got back from him were these two non-specific and not-helpful tweets:
@mdavep I just successfully logged onmanager.skype.com in using IE9. Which browser are you using and which error do you see? ^CH
(when I answered his question he did not reply)
-and-
@mdavep Which page are you trying to login? Your web account page is here:skype.com/go/myaccount ^CH
(when I answered his question he did not reply)
My business is suffering as a result of these problems, as I am unable to reassign phone numbers to my sales teams and make changes to my tracked numbers for my ad campaigns. I'm probably losing about $250-$500 per day that this is not working.
Screenshot:We've identified a login problem with Skype Manager and are working to resolve it as quickly as possible.
Sorry for the inconvenience (and confusion caused by my follow up tweet).
Unfortunately I can't share an ETA for the fix yet.
Follow the latest Skype Community News
↓ Did my reply answer your question? Accept it as a solution to help others, Thanks. ↓ -
Is there a way to create user logins or some other way to ...
Is there a way to create user logins or some other grouping for a set of applications to use (memory) resources optimally -- for example only mail and Safari and Word in one grouping and another for Safari and an audio recording application, etc.?
It is possible to use Parenal Controls to limit which applications can be used be a particular user account.
But it's not really necessary as far as managing memory.
Matt -
Sql server grants access to specific login to database.
i have created website for intranet and hosted it on server. for that i needed to create login "IIS APPPOOL\hi" in sql server 2008 for my application
to access my "reportdb" database. "IIS APPPOOL\hi" has sysadmin and public server roles in sql server 2008. And i have default login"sa" same
as "IIS APPPOOL\hi". these are working correctly. Now I want these two logins to access"reportdb" for all
operations in database and remaining all logins should be denied to access"reportdb". My Sql Server 2008 is having mixed mode (windows authentication and Sql authentication). plz help meI think what Tauseef is requesting is to keep access for the 2 sysadmins & deny access to everyone else, correct?
As Uri mentioned, by being part of sysadmin role, “IIS APPPOOL\hi” & “sa” would have access to everything in the server, and nobody else should have access to the DB unless explicitly being granted access.
If you would really deny anyone else access to the database, you can potentially deny connect to public, and only sysadmins (who override permissions) would be able to connect; although I would strongly recommend against such practice.
Something else I would like to recommend against is the usage of sysadmin for what may not be a DBA role (IIS appPool). Following the least-privilege principle, I would recommend having a non-administrator user for applications that has enough capabilities
to perform the tasks needed.
The main risk is that a SQL injection (SQLi) bug in your application would lead to a complete compromise of your SQL server.
If there are app tasks that would require elevated permissions, I would recommend encapsulating the logic in a stored procedure and either use impersonation or digital signatures to accomplish a controlled elevation of privileges instead. If you have any
question on this topic I will be glad to assist.
I hope this information helps,
-Raul Garcia
SQL Server Security
This posting is provided "AS IS" with no warranties, and confers no rights. -
Limit access to Apex login page
Hi,
We are deploying an application to our users. I need to limit access to Apex login page f?p=4550 to some predefined Ip adresses. Any ideas on this?
Best regards,
Onur.How exactly the APEX engine forces a '404' to be returned, I am not entirely sure. Perhaps it sends back the Response with the Header Status set to 404 ?Yes, with this process on the login page.
begin
if not #OWNER#.wwv_flow_security.ip_check then
#OWNER#.wwv_flow.g_unrecoverable_error := true;
sys.owa_util.status_line(404, 'Page Not Found');
sys.owa_util.http_header_close;
end if;
end;Scott -
How to access Sap portal login user in ejb web service
Hi,
I wnt to access SAP Portal login user in my ejb application which resides on the same server.
I am using following code
try {
IUser user =null; IWDClientUser wdUser = WDClientUser.getCurrentUser();
user = wdUser.getSAPUser();
} catch (WDUMException e) {
// TODO Auto-generated catch block
e.printStackTrace();
Some additional jar files are required for this?
The same code works fine with webDynpro but not with ejb.
Thanks in advance
Best regards,
NileshThanks for reply.
I have already added com.sap.security.api in my EJB module project classpath. How to add the same in EJB application Project (application-j2ee-engine.xml)?
Best regards,
Nilesh -
SAP PI problem: User credentials are invalid or user is denied access
Hi!
I am about to configure SAP PI.
Therefore I have run post installation wizard step PI_00 and get the following errors:
Error: Not able to load Function SWF_XI_BPM_AUTO_CUSTOMIZE
(cause:Name or password is incorrect (repeat logon)).
Step: Execute SWF_XI_BPM_AUTO_CUSTOMIZE
Error: User credentials are invalid or user is denied access
Step: Add Installed Product2
Questions:
How can I identify which user/password makes problems here?
P.S.
My further problems are:
2) It is not possible to work with XI tools, such as:
Integration Directory, Integration Repository, Runtime Workbench
When I try to execute some action in these tools I get the following error:
Cannot connect to Repository
Error during communication with System Landscape Directory: User credentials are invalid or user is denied access.
2) When I try to access the NetWeaver configuration wizard (http://localhost:50000/nwa)
I get the followign warnig:
System Landscape Directory is not available
Only local systems can be maintened
Thank you very much
ThomHi,
Check the similar discussion Error in PI postinstallation wizard
Wrong password PISUPER in PI_00 wizard
Thanks!
Edited by: Sudhir Tiwari on Nov 26, 2008 10:29 AM -
I am wanting to be able to manage the new installation of windows 2012r2 core, which is a workgroup.
I can see the event logs etc, but when I try device manager or disk manager I receive rpc error.
What do I need to configure?I've posted this to a number of forums. It has allowed me to manage almost everything remotely. There are still some things with disk manager that don't work quite right, but they can be handled correctly from Server Manager instead of disk manager.
I run this on every server I build and I try to do almost all my management remotely. Some things do require command line. Microsoft has gotten a lot better over the years on the MMCs handling things remotely, but they are not 100% there.
Oops, as I clicked submit, I saw the fact that your server is in a workgroup. My script assumes domain. But,
http://social.technet.microsoft.com/Forums/windowsserver/en-US/fe80f0aa-0697-4657-a1da-19d36b036698/guide-to-remote-manage-hyperv-servers-and-vms-in-workgroups-or-standalone?forum=winserverhyperv is another post talking about how another person accomplished
in a workgroup.
# Set-UcsHyperVRemoteMgmt.ps1
# C A U T I O N: Ensure these settings conform to company security policy
# This script works on a variety of settings that are easiest done from the
# local machine to make it remotely manageable by a management workstation.
# To find rule names
# Get a list of possible groups
# Get-NetFirewallRule | Select DisplayGroup -Unique | Sort DisplayGroup
# To list the applicable rules that may be set.
# Get-NetFirewallRule | Where { $_.DisplayGroup –Eq “Remote Volume Management”} | Format-Table Name
# Ensure Server Manager remoting is enabled
Configure-SMRemoting.exe -Enable
# Set some firewall rules
# Enable ping requests in and out
Set-NetFirewallRule –Name “FPS-ICMP4-ERQ-In” –Enabled True -Profile Any
Set-NetFirewallRule –Name “FPS-ICMP6-ERQ-In” –Enabled True -Profile Any
Set-NetFirewallRule –Name “FPS-ICMP4-ERQ-Out” –Enabled True -Profile Any
Set-NetFirewallRule –Name “FPS-ICMP6-ERQ-Out” –Enabled True -Profile Any
# Enable remote volume management - firewall rules need to be set on both
# source and destination computers
# ***NOTE*** Policy must also be set on system to "Allow remote access
# to the Plug and Play interface"
# This is done with gpedit.msc locally or gpedit for domain policy
Set-NetFirewallRule –Name “RVM-VDS-In-TCP” –Enabled True -Profile Any
Set-NetFirewallRule –Name “RVM-VDSLDR-In-TCP” –Enabled True -Profile Any
Set-NetFirewallRule –Name “RVM-RPCSS-In-TCP” –Enabled True -Profile Any
# Enable DCOM management requests in
Try
Set-NetFirewallRule –Name “ComPlusNetworkAccess-DCOM-In” –Enabled True -Profile Any
Catch
Write-Host "ComPlusNetworkAccess-DCOM-In not set; assuming core installation"
# Enable remote service management
Set-NetFirewallRule –Name “RemoteSvcAdmin-In-TCP” –Enabled True -Profile Any
Set-NetFirewallRule –Name "RemoteSvcAdmin-NP-In-TCP” –Enabled True -Profile Any
Set-NetFirewallRule –Name “RemoteSvcAdmin-RPCSS-In-TCP” –Enabled True -Profile Any
# Enable Remote Event Log Management
Set-NetFirewallRule –Name "RemoteEventLogSvc-In-TCP” –Enabled True -Profile Any
Set-NetFirewallRule –Name “RemoteEventLogSvc-NP-In-TCP” –Enabled True -Profile Any
Set-NetFirewallRule –Name “RemoteEventLogSvc-RPCSS-In-TCP” –Enabled True -Profile Any
# Enable Remote Scheduled Tasks Management
Set-NetFirewallRule –Name “RemoteTask-In-TCP” –Enabled True -Profile Any
Set-NetFirewallRule –Name “RemoteTask-RPCSS-In-TCP” –Enabled True -Profile Any
# Enable Windows Firewall Remote Management
Set-NetFirewallRule –Name “RemoteFwAdmin-In-TCP” –Enabled True -Profile Any
Set-NetFirewallRule –Name “RemoteFwAdmin-RPCSS-In-TCP” –Enabled True -Profile Any
# Enable WMI management requests in
Set-NetFirewallRule –Name “WMI-WINMGMT-In-TCP” –Enabled True -Profile Any
# Enable Remote Shutdown
Set-NetFirewallRule –Name “Wininit-Shutdown-In-Rule-TCP-RPC” –Enabled True -Profile Any
# Enable Network Discovery on the Domain Network
Set-NetFirewallRule –Name “NETDIS-FDPHOST-In-UDP” –Enabled True -Profile Domain
Set-NetFirewallRule –Name “NETDIS-FDPHOST-Out-UDP” –Enabled True -Profile Domain
# Set some services to automatically start and start them.
Set-Service -Name PlugPlay -StartupType Automatic
Start-Service PlugPlay
Set-Service -Name RemoteRegistry -StartupType Automatic
Start-Service RemoteRegistry
Set-Service -Name vds -StartupType Automatic
Start-Service vds
# Enable Remote Desktop
(Get-WmiObject Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices).SetAllowTsConnections(1,1) | Out-Null
(Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\TerminalServices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0) | Out-Null
# Enable Remote Desktop rules for all profiles
Set-NetfirewallRule -Name "RemoteDesktop-UserMode-In-TCP" -Enabled True -Profile Any
Set-NetfirewallRule -Name "RemoteDesktop-UserMode-In-UDP" -Enabled True -Profile Any
.:|:.:|:. tim -
Is there a way to deny access to BI Publisher -Report job in OBIEE 11g?
Thank you all for the helpful information in the posts. I am trying to disable or not to display Report job under published reporting in OBIEE 11g. Could any one of you you please help me with the steps?
My issue:
I am pretty new to OBIEE and we are using OBIEE 11g when the user clicks on the new drop down, i am trying to disable or turnoff Report job under published reporting for a user group. I tried to find the relevant components for published reporting to deny access to report job under manage privileges but no luck i couldn't find any and i realized that i should be looking into Manage Bi publisher roles and responsibilities but i cannot remove the roles. Please help me with the steps and the options where i need to go and what i should do to not to display the report job. Your help is greatly appreciated, if i am not clear please let me know i will try to rephrase or explain it better
FYI
We are using LDAP for user creation and we have created a new group and created a test user belongs to that group and that user should not see the Report job. When i am seeing the users roles and responsibilities it is also showing me other two roles authenticated user role and BI consumer role for the test user, when i asked the admin guy dealing with LDAP he said he only associated the user with that only new group. Please advice
Thanks,
Ravi
Edited by: user1146711 on Aug 18, 2011 2:00 PM
Edited by: user1146711 on Aug 18, 2011 2:02 PM
Edited by: user1146711 on Aug 18, 2011 2:03 PMIn EM, go to Weblogic Domain, right click on bifoundation_domain and on the Security menu choose Application Policies.
Set Application Stripe to obi and click the blue arrow search button.
Highlight BIConsumer and click Edit.
Under Permissions locate Resource Name oracle.bi.publisher.scheduleReport. Highlight this and click Delete...
Click OK (top right corner).
Now log your user out of OBIEE and back in again, and the option should have disappeared from their New menu.
Maybe you are looking for
-
When I click on picture in Photo Gallery...just blank screen...no picture
Hi. I have been doing well with iPhoto until I tried to migrate to Aperture. When I migrated to Aperture, I deleted the iPhoto library in Aperture as I read in the tutorial. Clearly, I did something wrong. Well, I uninstalled Aperture and will be usi
-
How to get the defined printers in anothers computer withen my LAN
happy new year for ALL I want to put a JAR file in the server. this JAR file enable users to print images from this server. the problem: I want to print the image in user's printer not in the server printer. so I want to get the printers defined in t
-
I want single update query without use the function.
I want to update sells_table selling_code field with max date product_code from product table. In product table there is multiple product_code date wise. I have been done it with below quey with the use of function but can we do it in only one update
-
HFM: How to restrict user to generate reports when there is a data load process going on?
Hi Experts, I want to get some idea on how we can restrict one user of generating report when another user is loading the data for the same entity, assuming both the users were at different location and there is no communication between them. i am de
-
Using JSPs to process text - use MockHttpServletRequest?
I'd like to use a JSP file to define and render the body of an email message. I don't want to use this to process an actual Http request, but instead invoke it manually, get the output as a string and then send an email message using the string as th