Recommendation needed on: Locking Down BW Client / Object Changeability:

Similar Messages

• Locking down anyconnect client profile

  I was wondering if there is a way to lock down the anyconnect profile on a clients machine.  Basically we are using certifcates to authenticate so the client can make a VPN connection.  We have enabled the certifcate match function to check for IPSec User Extended Match Key.  I can modify the XML on the client PC to bypass the check and authenticate.  We would like to keep users from doing that.  Is there something I can setup on the ASA versus the client to check the certificate or prevent the XML from being modified?
  Thanks in advance.

  I went in and modified the xml and removed the following.  I was then able to make a connection without checking for the IPSecUser extended key usage.  I have 2 certs on my client.  One cert has the IPSecUser extended key usage and the other does not.
      IPSecUser

• Need to Lock down Keyboard Manager System Tray Icon

  I run 27 MacBooks at a Secondary School. I have them setup for Windows XP Pro (I'll be setting up the Mac OS over then next few weeks but this is a MS Windows School so lets start slow). Hoever I need to be able to disable the "Boot Mac OS" option on the Keyboard Manager. But still have access to Volume and Eject etc Keys.
  Solution: 1
  a .adm file so that I can contol what is avilable to students through Group Policy (disable reboot in Mac, Disable Boot Camp First time Run Help Screen)
  Solution 2
  A Keyboard driver that will make all the Keys work (and remote if possible) but has no System tray Icon
  Solution 3
  Hide the System tray icon (as say an option in the Boot Camp Control Panel which I can already disable through group policy) then all I need to kill is the anoying first time run help screen.
  The help screen is anoying because for each of the 800 student will probably only login into each laptop once each so that will come up every time, because I reimage every 3 months or so.
  The reboot in Mac OS would be no problem if it did not perminatly change to boot order and the Mac OS side boot change back is too complicated for most first time Mac users. The way I will be introducing the Mac OS is telling them about the hold the "option" key trick on boot. hence the dummys will get what they are expecting, and the smarties have the option without afecting the dummys.
  I relise this is a Devolopers thing but I can find no other way to inform them of the need. I dout I am the only System admin needing this.
  Thank You
  Message was edited by: Solus Venator

  Unfortunately no that did not help
  Using msconfig only stops the Keyboard Manager from running. I can do that simply be removing it from the registry with out the annoying msconfig messages. (good for testing though)
  I have also looked into the Hide tray Icon Path but that only tucks it behind a set of “<<”
  And the reboot function does Permanently Change the Boot Order. (Not the boot sector necessarily, The Boot Order) to change it back you need to login into the Mac OS and System Prefs Disk Boot Select the Boot Camp Part and Reboot …… Big Pain in neck.
  The Keyboard Manager icon does not have an eject option… If is needed for the Eject Key to work (and the Volume Mute, Up, Down, Brightness Up, Down. Note it is not Needed for the Play FF Rew Keys they work fine with the Fn Key)
  Here is the test
  With no icon showing, or an icon with no reboot option : Press The Eject Key if the CD Ejects Success, I also need Volume do not care about the others as much
  As Stated this is a Developer( Programmer) oversite and needs them to put in an option to remove the reboot option from the System tray Icon. Removal of the Icon would also be desirable
  Thank You

• How do i disable edge gestures in windows 8.1 on a dell tablet ? i need to lock down my full screen app.

  This is my current code. I am using window property PKEY_EdgeGesture_DisableTouchWhenFullscreen, but when i run it on dell venue 8 tablet running win8.1, i always get same error from SHGetPropertyStoreForWindow :
  Err = 0x80004002    E_NOINTERFACE    No such interface supported
      Structure PROPERTYKEY
          Dim fmtid As Guid
          Dim pid As UInt32
      End Structure
      Private Interface IPropertyStore
          Sub GetCount(ByRef cProps As UInt32)
          Sub GetAt(ByVal iProp As UInt32, ByRef pkey As PROPERTYKEY)
          Sub GetValue(ByRef key As PROPERTYKEY, ByVal pv As Object)
          Sub SetValue(ByRef key As PROPERTYKEY, ByRef pv As Object)
          Sub Commit()
      End Interface
      Public Class PropertyStore
          Implements IPropertyStore
          Public Sub Commit() Implements IPropertyStore.Commit
          End Sub
          Public Sub GetAt(ByVal iProp As UInteger, ByRef pkey As PROPERTYKEY) Implements IPropertyStore.GetAt
          End Sub
          Public Sub GetCount(ByRef cProps As UInteger) Implements IPropertyStore.GetCount
          End Sub
          Public Sub GetValue(ByRef key As PROPERTYKEY, ByVal pv As Object) Implements IPropertyStore.GetValue
          End Sub
          Public Sub SetValue(ByRef key As PROPERTYKEY, ByRef pv As Object) Implements IPropertyStore.SetValue
          End Sub
      End Class
      <DllImport("shell32.dll", SetLastError:=True)> _
      Private Function SHGetPropertyStoreForWindow(ByVal handle As IntPtr, ByRef riid As Guid, ByRef propertyStore As IPropertyStore) As UInt32
      End Function
          '    ' 20140804 support disable of edge swipes when run fullscreen in windows 8
     ' name = System.EdgeGesture.DisableTouchWhenFullscreen
     ' shellPKey = PKEY_EdgeGesture_DisableTouchWhenFullscreen
     ' formatID = 32CE38B2-2C9A-41B1-9BC5-B3784394AA44
          Dim g As Guid = New Guid("32CE38B2-2C9A-41B1-9BC5-B3784394AA44")
          Dim PropStore As IPropertyStore = New PropertyStore
          Dim rc As UInt32 = SHGetPropertyStoreForWindow(HWnd, g, PropStore)
          ' 0x80004002    E_NOINTERFACE    No such interface supported
          ' S_OK    Operation successful    0x00000000
          If (rc = 0) Then
              Dim PKEY_EdgeGesture_DisableTouchWhenFullscreen As PROPERTYKEY
              PKEY_EdgeGesture_DisableTouchWhenFullscreen.fmtid = New Guid("32CE38B2-2C9A-41B1-9BC5-B3784394AA44")
              PKEY_EdgeGesture_DisableTouchWhenFullscreen.pid = 2
              Dim bVal As Boolean = True
              PropStore.SetValue(PKEY_EdgeGesture_DisableTouchWhenFullscreen, bVal)
          End If

  You are passing PKEY_EdgeGesture_DisableTouchWhenFullscreen where it expects IID_IPropertyStore. 
  Visual C++ MVP

• Locking Down & Creating Exceptions

  We have seven school district buildings which includes an administration
  building. Each school has it's own server set on NW6.5SP5 and BM3.8SP4 as
  well as Zen 7. The admin bld has two servers, one for the building and one
  is our web/e-mail server using GW 7.0.2HP and Apache2. It also has GWava
  running with Kaspersky A/V (e-mail) and both servers are our DNS servers.
  If I set the default filters (to lock down the system) with BM, all
  connectivity is lost, which it should be. However, I've not been able to
  figure out the correct filters to set to allow traffic into and out of the
  web server and e-mail, i.e., if I lock down the building server no one can
  get to their e-mail or access the web server but can access the Internet via
  the BM proxy.
  I have Craig's books but guess I need a little more detail and pictures. Is
  there a book out there for those of us with A.D.D. that will walk me through
  creating a filter one-step-at-time including saying what each step is
  for/doing or what will be accomplished?
  I need to lock down each of the servers, but can't because, although users
  can get out to the Internet via the BM Proxy, they still don't have access
  to GroupWise from the client and / or Novell's iFolder, and Instant
  Messaging, of course. If I go to iManager 2.6 and attempt to creating
  exceptions for GW, iFolder and IM, the filter exceptions are created but
  don't make a difference.
  Sorry to drag on so long, but we've had an incident happen in the last month
  and we need to make the network more secure but still allow users to such
  things as the Internet, GW, iFolder, etc.
  Any suggestions and/or ideas would be appreciated,
  Tim

  >> In article <[email protected]>, Tim Ferguson wrote:
  >> When I say "Yes" to create a secure system when running BRDCFG, all outside
  >> access is blocked or isn't it supposed to be?.
  >> When you do that, it blocks all traffic to and from the public interface, and
  >> then adds some default exceptions intended to allow the VPN and certain
  >> proxies to work. (It will not overwrite any exceptions you might already
  >> having in place that would allow too much traffic through).
  >> The only way to the Internet
  >> is through the proxy, and VPN traffic is ok. Traffic on the VPN and the
  >> private IP network is fine, or should be, correct?
  >> Should be, correct.
  >> For Example:
  >> I have a user at 192.168.30.150 that needs to access his GW e-mail using the
  >> GW client to the server at 209.xxx.xxx.163, port 1677, but can't once the
  >> "secure system" is set. Realistically, we should set his client to check
  >> the private IP of the e-mail server at 192.168.20.1, port 1677, correct?
  >> Well...
  >> I'm not clear if you are trying to have the client access the GW process from
  >> inside or outside the LAN. Normally if you have a client on the inside of the
  >> LAN, that client should always be pointed to the internal IP address of a
  >> process, not the public IP address.
  I was talking about each teacher's workstation GW client, all of which are inside the VPN-created LAN
  >> If the GW process (POA, here) is running on the BMgr server itself, it is most
  >> likely listening on all IP addresses, and you need to make sure the internal
  >> address (unfiltered) is being used when inside the LAN.
  We have seven buildings, six schools and the administration building. Each building has it's own BorderManager server. Each building has it's own T-1 circuit. The buildings are connected by a BorderManager VPN (IKE). The web/mail server at the administration building is the VPN master.
  Currently each workstation's GW client (in each building) is set to the GW server's (MTA, POA, GWIA, WEBACC) public IP. Setting the filters to create a secure system would kill this capability, correct?
  >> If the process is being static NAT'd to that public address, you should not be
  >> able to access it from the inside (using the public address) with filters up
  >> or not.
  We are using "dynamic" NAT in each building. I only use "static" NAT when I create a secondary IP to my office computer so I can access it from home. NAT is then set to "dynamic and static" and not "static" only.
  >> If the process is being proxied to the public address, you could access it on
  >> the public address, as long as filter exceptions were added to allow the
  >> traffic from private to public, but it would be better to just point to the
  >> internal address.
  The process is not being proxied to the public address, was never able to get that configured and working.
  >> Often this means you just set up an internal DNS server.
  Explain further, please. Each of the two servers at the administration building is a public DNS server. To create an internal DNS server, it would be set just to the private IP's of most of the same objects on the public DNS servers?
  >> Should I then: (1) Create an exception on his building's server (the
  >> gateway) using the public interface to let his client out on port 1677? And
  >> (2) Create an exception on the mail server using the public interface to
  >> allow port 1677 in, and use a stateful filter exception on both so traffic
  >> goes both ways? or (3) ???
  >> If the client is on the inside of the LAN, you definitely should be pointing
  >> the client to an internal IP address.
  >> If the client is on the outside of the LAN (laptop taken home, for instance,
  >> or a home PC using GW client), then you have options:
  >> 1. GW running on a BMgr server
  YES
  >> 2. GW running internally, proxied to a public address
  NO
  >> 3. GW running internally, static NAT'd to a public address.
  NO
  From home or otherwise outside the private LAN, we use the GW server's public IP from the GW client.
  >> With 1 and 2, the filter exceptions are the same. With 3, they are different.
  >> I have examples for each in the filtering book.
  >> With 2, you not only have to have filter exceptions (public to public), you
  >> also have to have proxy configured and running AND access rules.
  >> With 3, you just need to have static NAT configured, filter exceptions, and a
  >> default route on the GW server. This option is the most common one I see.

• Advantages and Disadvantages of Client Object Model in sharepoint 2013

  I need Advantages and Disadvantages of Client Object Model in sharepoint 2013
  like below in javascript. Users will have read/edit and approve access to the list.
    var clientContext = new SP.ClientContext.get_current();
         var oList = clientContext.get_web().get_lists().getByTitle('Workflow Tasks');
  MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

  Thanks 
  AlexanderShelopukho for
  right answer!
  Alex-
  I do not need comparison- 
  I need Advantages and Disadvantages of Client Object Model in sharepoint 2013
  MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

• How to lock down "settings" on my ipod?

  I need to lock down my "settings" on my ipod. I don't want to merely block access to Safari, but I want to block access to the settings area of the ipod. I have found "folder lock" apps at the Apple store, but they seem to be predominantly aimed at hiding one's ****, which is not at all what I need. I found a number of apps that would be available if I wanted to jailbreak my ipod, which I don't want to do.
  Anyone have suggestions?

  Sorry, but you cannot lock the Settings in general. Only those items that appear in the Restrictions can be locked.
  Regards.

• Need suggestion on locking down student imacs

  Hello, I just inherited a handful of computer labs. 8 imacs each spread out between 5 schools. 3 labs have internet access and 2 labs do not. Since I'm a complete noob when it comes to Mac OS Security what would someone recommend as my first step to locking down the computers. The students have tons of shortcuts on the desktop,downloaded mp3's, movies, myspace, facebook etc..It's a mess. Is there any 3rd party software that can manage desktops or can Mac OS do it all?
  Thanks

  Oh another Internet one I forgot...
  http://www.netnanny.com/mac?pid=3&gclid=CLmq6-zMzpkCFRFMagoduSShtQ
  Parental Controls in Leo...
  http://www.apple.com/macosx/features/parentalcontrols.html
  For even more control you can do Get Infos from the finder on the files/folders and change permissions so they can't write, only read, or no access.

• I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill f

  I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill forms?

  Well, try this (I was able to fix my with these steps):
  Go Utilities > Disk Utility
  Select your Startup Disk, e.g. Macintosh HD
  Then, under the First Aid Tab, click Verify Disk Permissions.
  If there are errors, then click repair Disk Permissions.
  After it is done, restart the computer and see if your problem is resolved.
  I hope this help.
  Zeke
  www.ZekeYuen.com/blog/

• Can we lock down the system for BW object and not bex objects

  Hello,
  I have a question about object changeability. We want to lock down the BW production system but leave it open for adhoc query. Can we lock down the BW system only for few objects like Cubes, ODS, Infoobjects, Infosets, Multiproviders, and keep the system open for Bex objects like Query, varaibles and also for Infopackges and DTP's.
  Which tcode can we use for this ?
  Thanks,
  Message was edited by:
          Kiran Mehendale

  hi, usaully production system will be non changeable for all objects.. but as far as SAP BW is concerned we can make certain objects changeable by setting as follows..
  in production go to RSA1 - Transport Connection, select Object changeability button from tool bar, here you will find a list of objects which can be made changeable in a closed system.. just click on required objects and set it to Everything Changeable..
  Reg,
  Pradhiba
  <REMOVED>

• Why does Livecycle Designer need to lock scripting on objects with children that are fragments??

  Can someone tell me why Livecycle need to lock scripting on objects with children that are fragments??
  I mean, just because I have a fragment (which you can't edit the script for), why does Livecycle need me to NOT edit say the initialise event on the Main form.
  Yes, I can remove my fragments, edit and reinsert.  Also if the event already has a script, I can edit the xml.  But neither of these are terribly convenient.
  Couldn't there be a better way?

  The purpose of the fragment is to create re-usable or standard components. In most cases the fragment is not created by the same person designing the form and they do not want the from designer to modify any part of the fragment (it is a separate XDP file). There may be code in that fragment that relies on the structure that exists. If you have the rights you can always edit the fragment and when your PDF is created the changes will be picked up.
  If you want to be able to modify the fragment while it is in Design mode sounds to me like you want to add a component to the object library. This will allow you to have a reusable piece of a form that you can modify on a form by form basis. To do this simply build the piece that you want. Lasso the entire form and drag it onto the Custom library. When you release it a dialog will pop up allowing you to name your component. Now on any form design you can drag your new component onto the canvas and all methods/properties and code will come with that component (allowing you to modify it for that form as you see fit).
  Note that you can create your own libraries to hold your components if you see fit. Also if you put your libraries on a shared drive, you can share components between Designers.
  Paul

• Turned my iPhone completely off and then on. The lock screen then came up with no clock and when I entered my pin, it would not bring me in, it would just go back to the same lockscreen with no time. Now says Temperature, needs to cool down

  Stuck on screen saying Temperature needs to cool down before use for hours, I don't know what to do

  Also, it does not say Swipe to Unlock, it says Swipe For Emergency. Maybe why the passcode isn't working?

• Quering the database using Client Object Model

  Hi,
  I have to fetch the list items from a list named "Project Status" and display it in a table using
  Client Object model.
  The equivalent server side code is:
  SPWeb web = SPContext.Current.Web;
  SPList list = web.Lists["Project Status"];
  DataTable dt1 = new DataTable();
  try
  if (list.ItemCount > 0)
  DataColumn dc;
  DataColumn dc1;
  dc = new DataColumn("ProjectId", Type.GetType("System.String"));
  dc1 = new DataColumn("Project Name", Type.GetType("System.String"));
  dt1.Columns.Add(dc);
  dt1.Columns.Add(dc1);
  DataRow dr;
  foreach (SPListItem item in list.Items)
  dr = dt1.NewRow();
  dr["ProjectId"] = item["ProjectId"];
  dr["Project Name"] = item["Project Name"];
  dt1.Rows.Add(dr);
  Repeater1.DataSource = dt1;
  Repeater1.DataBind();
  catch (Exception Ex)
  throw Ex;
  1 more issue what i face is providing two links in the Visual WebPart and their navigate url is based on a condition that is fetched from the database. This corresponding code has to be converted to
  Client Object Model.
  string user = web.CurrentUser.LoginName;
  string userID = user.Split(new char[] { '\\' })[1];
  string connString = @"Data Source=NorthWind;Initial Catalog=EmployeeDB;User ID=sa;Password=Newuser123";
  string query = "select * from EMPLOYEE_PROFILE";
  SqlConnection conn = new SqlConnection(connString);
  SqlCommand cmd = new SqlCommand(query, conn);
  try
  conn.Open();
  DataTable t1 = new DataTable();
  using (SqlDataAdapter a = new SqlDataAdapter(cmd))
  a.Fill(t1);
  DataRow[] dr = t1.Select("PsNo = '" + userID + "'"); //This will select all rows where the Name Column has current user
  foreach (DataRow r in dr)
  string bU = r["DeputedBU"].ToString();
  if (bU == "INS" || bU == "BFS")
  lnkPM.NavigateUrl = web.Site.WebApplication.Sites[0].Url + "/Dashboard.aspx";
  lnkSummary.NavigateUrl = web.Site.WebApplication.Sites[0].Url + "/DashboardWithHyperlinks.aspx";
  else
  lnkPM.Visible = false;
  lnkSummary.Visible = false;
  catch (Exception)
  throw;
  finally
  conn.Close();
  Any help would be appreciated.

  Hi,
  According to your post, there would be two questions in this single thread.
  It is recommended to post one question in one single thread which will make others easier to focus on one question in one thread.
  For the first question, you want to fetch list items and put into a DataTable object using Client Object Model.
  To fetch list items from a list using Client Object Model, you can take a look at the code snippet below from MSDN:
  http://msdn.microsoft.com/en-us/library/office/ee534956(v=office.14).aspx
  For the second question, you might need to retrieve the User object and site collections object using Client Object Model.
  However, if you can develop a Visual Web Part for your site, it means that you will be able to access the SharePoint Object Model which has more powerful APIs, so there is no
  need to use Client Object Model in a Visual Web Part.
  Best regards
  Patrick Liang
  TechNet Community Support

• Is it possible to lock down the _vti_bin and _layouts pages with a wildcard option.

  Hi all,
  A client of mine is running an internet facing sharepoint site. I have managed to lock down the _vti_bin and _layouts pages users for anonymous by using the following entries in my main web.config file:
  <location path="_layouts">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  and
  <location path="_vti_bin">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  But this is only ok for the root site collection. Is there a way to lock down all site collections, including sub sites with a type of wildcard entry?
  Due to the nature of the clients business, they will be creating many site collections and subsites. I am trying to find a scalable way to manage this. To add an entry for every new site collection or subsite that gets created on the fly does not seem like
  the most manageable solution.
  Any suggestions would be appreciated.
  Regards
  Mirco

  Hi Sachin,
  Thank You very much for the feedback. The info to secure system pages from authenticated FBA users is very helpful and I will definitely  implement it.  With reference to your second post. This is actually the information I used to lock down my
  sites from anonymous users. Applying this method I noticed that you needed to put an entry for every single site collection and sub site collection, e.g. if I ONLY had a site collection at
  https://me.myserver.com then the following entries in the web.config would secure the _vti_bin and _layouts folder from anonymous users:
  <location path="_layouts">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  and
  <location path="_vti_bin">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  But lets say I added another site collection at
  https://me.myserver.com/sites/mysitecollection I would have to add the following entries to the web.config file to secure it from anonymous users:
  <location path="sites/mysitecollection/_layouts">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  and
  <location path="sites/mysitecollection/_vti_bin">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  Now this method might be manageable if you are only gonna have 5 or 10 site or subsite collections. My client will have 30, 40, 50, who knows how many. This is why I am trying to find a more manageable way of locking these sites down.
  You can imagine what my web.config will look like eventually and the admin involved in continuously adding these entries to the web.config file to keep it safe from anonymous users.
  Regards
  Mirco

• Security - Locking Down Oracle 9i

  Anyone,
  I have been asked by our auditors to lock down my Oracle environment by disabling the default accounts that are not needed.
  What User Accounts can I disable (Lock) and not break my Oracle environment?
  I am looking at the following:
  DBSNMP
  OUTLN
  WMSYS
  Will I break anything if I disable these accounts?
  Thanks in advance,
  Miller

  Hi
  DBSNMP User:
  For database event monitoring, it is recommended you use the pre-existing DBSNMP user account.The DBSNMP user is automatically created with each new database and is already used for basic monitoring such as checking database availability. When setting up the EM Event owner’s preferences for Preferred Credentials, specify DBSNMP as database credentials for all monitored databases. This account will be used by the agent for monitoring and historical data collection as well as by the OMS/Console for database browsing. The DBSNMP user has already been granted some basic privileges. However, if it is to be used for all database event monitoring, you will also need to grant:
  SELECT_CATALOG_ROLE role.
  OUTLN User:
  This user is used while using TKPROF utility
  select user# from sys.user$ where name = 'OUTLN'
  WMSYS: Don't know about this user.
  I suggest to remove only SCOTT user account, as this is a demo user account.
  Hope this was useful.
  Thank You