Disable password policy for partially-contained database SQL Server

I’m stuck in a situation where I need to create a new user for a partially-contained database (SQL Server 2016). The password is short, so I get an error:

Password validation failed. The password does not meet Windows policy requirements because it is too short. 

When creating a login at the instance level, there is an option to untick ‘Enforce password policy’, ‘Enforce password expiration’, and ‘User must change password at next login’. There is no such option when creating a user for a partially-contained DB.

Is there a way to get around this?

Thanks

Does the same site cookie policy potentially change anything for CORS

According to the new same-site cookie policy (once implemented across all browsers) , a third party call from another page would not send along the cookies by default, unless the third party explicitly indicates that by setting appropriate cookie metadata.

As per my understanding, this would help with CSRF prevention. Does it cover all cases for CSRF ? Can this policy obsolete the same-origin policy since it seems to solve the same problems, or does the same origin policy cover other use cases? Does this potentially mean that we wouldn’t need CORS setup on the servers anymore?

Security Benefits of Having a Content Security Policy for a Domain Loaded through iframe

Consider the below scenario:

There’s a checkout webpage that can be accessed at checkout.example.com. This page has decent security policy. But just to prevent any credit card info leakage, credit card information editing panel is in an iframe and this panel can be loaded from cc.example.com.

Now, are there any security benefits for having a good Content Security Policy for cc.example.com when we are loading it in an iframe in checkout.example.com?

What kind of “actions” can a TPM2 policy authorize?

I’ve been instructed to use the state of our system’s TPM’s PCR registers to prevent the system we’re working on from booting if one of the PCR registers is different from what we expect. In service of that goal, I’m reading over this article: https://threat.tevora.com/secure-boot-tpm-2/

there is a paragraph near the middle that reads:

TPM2 has the ability to create policies based off of PCRs: If the PCR contents do not match expectations, the policy will not authorize the action.

What kind of actions are they talking about here? And what would be the immediate ramifications if the action was not authorized?


Some background: Before today, I was under the impression that the principle trick of the TPM was to encrypt or decrypt data using a key that the TPM holds securely. Now this article suggests that the TPM can also (two different functions) encrypt or decrypt data based on the current state of its’ PCR registers… this seems similar enough to my previous understanding that I can believe it.

If my understanding is correct, I can see how this would be useful to our project’s goals; encrypt a blob of data that is critical to the success of the boot (say… the kernel*) with the state of the PCR registers while the PCR registers are in a known-trustworthy state (i.e. while known-trustworthy software is loaded). If software that writes different PCR registers replaces the known-trustworthy software, then the kernel blob won’t decrypt properly, and execution “halts”. Presumably there are ways to handle this halting gracefully, like Bitlocker or LUKS; I imagine if I just encrypted executable code and then decrypted it with the wrong key, it would produce gibberish, and the machine would do unexpected things rather than halt gracefully when running that gibberish.

A co-worker has taken the position that there’s a simpler way; that a TPM can permit or refuse an action directly… so, like, it halts the processor or something, I guess? He doesn’t express himself very well, and when I tried to summarize his position he told me I got it wrong, so… I’m deliberately keeping the details of his position scant. Suffice it to say, my understanding of what a TPM does wouldn’t allow for what he describes…

You could interpret the two sentences from the article as supporting his position, or mine, depending on what actions it is possible to ask the TPM to authorize, and what the immediate consequences ramifications of the TPM denying you the authorization to do something. Does anyone here have an opinion?

*…how would I “encrypt the kernel”, exactly? :-p

CORS policy during development

Does the CORS policy add any value during the development phase? Should I develop with CORS on or off? The development is occurring in a distributed environment and there are no local copies of components, only a testing environment where components are uploaded and tested (not on the same servers, so CORS still apply). If I should enable the CORS policy, how should I set it up so my distributed teams can work against my back-end server from their development environments ?

This question was strongly influenced by this one : should-i-develop-with-tls-on-or-off

With the existance of CORS, what further purpose does same origin policy serve?

I’ve been using CORS for a while and I think I understand it. But as far as I can tell, because the allow-origin header is provided by the server being called, which an attacker can control as they see fit, same origin policy cannot prevent an injected script from calling an attackers server.

Furthermore, by using my own server as a proxy, and spoofing headers, I can essentially make any HTTP call to any server in the world, regardless of their CORS settings.

Assuming an attacker can do whatever they want with their server, does this mean that same origin policy is dead?

Changing the default forward policy to accept (VPN/NAT)

I came across something that seems counter-intuitive while reading a tutorial associated with a very popular hosting provider showing people how to install their own Debian-based OpenVPN server. Specifically the default forward policy is changed from “DROP” to “ACCEPT” in order to allow traffic to be routed correctly. There seem to be no additional rules anywhere that would in any way restrict routing beyond this default policy.

If I understand correctly this could allow someone to use the machine as a gateway into the VPN, potentially allowing unsolicited traffic through. The logic here is that without any rules preventing packet forwarding the OS will simply forward any traffic not destined for itself. For example someone could make a static route for the external IP assuming a network of 10.8.0.0/24. Normally NAT would act as a firewall but in this case I can only assume it would, at best, rewrite the IP of response packets.

This is the tutorial for reference: How To Set Up an OpenVPN Server on Debian 9

I just want to know are my concerns justified or is there something that I’m missing?

Enforcing DMARC policy (reject) on an Office 365 tenant

The domain & tenant has SPF and DKIM properly configured and DMARC policy set to p=reject. Still, emails spoofed with the domain in the From header aren’t rejected, but appear in the Junk Email folder on Office 365. People do check their Junk Email for false positives, and are still reading all the CEO frauds, sextortion letters etc.

This seems a feature instead of a bug, as described in Microsoft’s documentation:

How Office 365 handles inbound email that fails DMARC

If the DMARC policy of the sending server is p=reject, EOP marks the message as spam instead of rejecting it. In other words, for inbound email, Office 365 treats p=reject and p=quarantine the same way.

Office 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Office 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.

However, this reasoning has some flaws:

  • DKIM protects legitimate mail; DKIM signed messages do pass with the DMARC policy even if it fails to align with the SPF when forwarded on a mailing list. (Mailing lists should change the envelope sender to pass SPF checks, anyway, so the SPF checks are probably passed, but not aligned.)

  • By implementing p=reject instead of p=quarantine the owner of the domain has stated that the emails should be rejected. Therefore, Microsoft’s implementation is against RFC 7489, 6.3:

    p: Requested Mail Receiver policy ...     reject:  The Domain Owner wishes for Mail Receivers to reject       email that fails the DMARC mechanism check.  Rejection SHOULD       occur during the SMTP transaction. 

Is there any setting on Office 365 to alter this behaviour and reject these messages?