Azure SQL Database – dedicated administrator connection (DAC)

If you check the setting in any of your Azure SQL databases, you will see that the value_in_use column value is zero for Remote admin connections. Meaning ‘Remote admin connections’ are not allowed from remote clients. There is no way to change that at the time of writing this question. sp_configure is not available for Azure SQL Database.

SELECT * FROM sys.configurations WHERE NAME = 'remote admin connections' ORDER BY NAME; 

Does that mean Remote admin connections are not allowed for Azure SQL Databases?

Keeping data confidential from the system administrator


Problem

How do I ensure that I cannot access confidential data manually through the database? Practically speaking, this is a firestore database on google cloud, and I have access to the administrator google account. For the purposes of this question, we assume the code is perfect, and is trusted to be not malicious in any way.

I’m developing software for a client, and one of the requirements is that the data is only accessible by two other people, and I am not one of them. It’s a small project, and I’m both the sole developer and system administrator. I’m capable of ensuring data confidentiality when the only point of access is the application, but due to the system administrator role I also have direct access to the database.

Possible Solutions

  1. Remove my admin access to the database.

    While it would solve the problem, it would also make further development and support rather difficult.

  2. Use encryption

    Possible, if I only encrypted the records that were confidential. It would slightly impact support but not to any major extent. The main problem here is how to ensure I don’t have access to the decryption key, while the server does.

  3. Use database permissions

    As far as I can tell, google firestore only has permissions for different actions, where I would need to have row or column based permission. I could probably do it with table based permission too. Technically speaking as administrator I could add permission back, but so long as it kept a history of permission changes this should be fine.

Can’t use /wp-json/wp/v2/plugins API endpoint even as administrator

Using Basic Authentication as an Administrator, I am getting an error code 401 Unauthorized : [rest_cannot_view_plugins] Sorry, you are not allowed to manage plugins for this site. error when I attempt to access the GET /wp-json/wp/v2/plugins endpoint of my server. I can pull Post and Page info with no problem, but when I query against the plugins, I’m getting the 401 error. I’ve confirmed that the userid used in the API call should be able to manage plugins using the CLI tool:

#  wp user list-caps $  USER | grep plugin activate_plugins edit_plugins update_plugins delete_plugins install_plugins 

Any pointers would be appreciated.

PCI compliance and VM server administrator

I have a situation where an application has to encrypt/decrypt some credit card data, each encryption key (it could be symmetric or private asymmetric) has to be in two separate places, managed by different people. One person cannot have access to any part of the key and the ciphertext it decodes at once. The application is a Windows service, it will have to have access to the whole key and the ciphertext in order to work on/process the decrypted data.

How can I make sure the server administrator (we use VMs) does not have access to both the key and ciphertext, but since it’s an admin account it will have full control over the VM (and thus the service)?

Can a system administrator check if their website is being scraped by a headless browser?

A recent article on scraping tiktok and Facebook states:

On the one hand running selenium headlessly is perfect to keep your machine “cool”, however it may help get you flagged as a scraper. System administrators can spot a headless request with ease.

The author uses a random User-Agent for each request, so I’m not sure where the logs would indicate that a headless version of a browser making the request. Are there any specific signatures to detect a headless browser?

Good faith effort on the question:

With foresight, it looks like one could check make a check for things like webdriver version (which can be spoofed too). However, by stating sys admins, the quote seems to imply that the logs themselves are sufficient to detect a headless browser.