PCI compliance and VM server administrator

I have a situation where an application has to encrypt/decrypt some credit card data, each encryption key (it could be symmetric or private asymmetric) has to be in two separate places, managed by different people. One person cannot have access to any part of the key and the ciphertext it decodes at once. The application is a Windows service, it will have to have access to the whole key and the ciphertext in order to work on/process the decrypted data.

How can I make sure the server administrator (we use VMs) does not have access to both the key and ciphertext, but since it’s an admin account it will have full control over the VM (and thus the service)?

SQL Server Agent job for LinkedServer

has anybody seen this error before? I have a job running on server A against linked server B. However linked server B is also server A.

The job didn’t complete successfully for the second times in a row.

The error message is:

TCP Provider: Only one usage of each socket address (protocol/network address/port) is normally permitted. Error 10048 OLEDB provider SQLNCL11 for linked server HJEAST returned messgae “Login timeout expired” error 7412 OLE DB provider “SQLNCL11” for linked server returned message “A network related or instance specific error has occured while establishing a connection to SQL Server. Server is not found or not accessable. Check if instance name is connect and SQL server is configured to allow remote connections.

howto completely secure backup server env?

I have a secure and private aws ec2 environment but I need to do some backups of mongodb, postgresql, so I have a separate ec2 instance for doing backup and occasionally allow 80 and 443 to allow install/update software on backup instance.

I use shell scripts to do backup job, it requires hardcoded password or credentials in scripts, I don’t feel it secure enough to have all credentials saved into one place — backup instance.

How to secure backup instance to avoid saving passwords/credentials in plain text, I also want to avoid saving passwords/credentials in memory or temporary files?

Foreign domain points to server and sends spam

I do have a really weird one. I am running a webhosting server that is being blocked by certain providers that use Cloudmark. I contacted the customer support and they got back with an email header that is unfortunately sending spam.

Received: from sub.domain.example ([1.1.1.1(my servers ip)]) Subject: sven.n.nilsson,=?utf-8?q?=62=65=6b=72=c3=a4=66=74=61=20=64=69=74=74=20=64=65=6c=74=61=67=61=6e=64=65=2e=2e=21=21=21?= From: =?utf-8?q?=53=77=65=64=69=73=68=20=6d=65=74=68=6f=64?=  <VNH9DI6HOW68YGD4AWRMSPB0VT7UWSHX5@gmail.com> 

The header states, that the mail came from my server. But how is that possible, I do have a closed relay and there is no mailbox for that domain. Furthermore, the domain is pointing to my servers’ IP. How can I prevent it from faking email headers and pointing to my servers’ IP?

Let’s encrypt certificate in the backend server

I created a let’s encrypt certificate for my domain and install my SSL certificate in the nginx reverse proxy. Now, I want to secure the communication between the proxy and the backend server using also let’s encrypt and I have the same domain name for both the proxy and the server. I don’t want to use self-signed certificate in the backend server. So, how can I use let’s encrypt for both the server and the proxy?

10 Gpbs server

CPU RAM Hard Drive Bandwidth IPs Price/Month
2 x Silver 4110 128GB 2× 500GB SSD Unmetered/10G/Unmetered/1G 1 $ 390.00
2xE5520 72GB 4x3TB SATA/4x512GB SSD Unmetered/10G 1 $ 849.00
2xE5520 16GB 4× 240 GB Unmetered/10G 1 $ 519.00
2xE5-2650 64GB 4x250GB SSD Unmetered/10G 1 $ 519.00
E3-1270v2 16GB 2TB SATA Unmetered/10G 5 $ 1700.00
2xE5-2620v4 64GB 2x500GB Unmetered/10G 1 $ 2539.00
2 x Silver 4110 64GB 2× 500GB SSD Unmetered/10G 1 $ 2600.00

https://www.vpb.com/grouproom.php?gid=1065&fuid=269

Moving SQL Server Database Files to New Location – Why permission error?

I was trying to move a database (.mdf + .ldf) to a different directory on the same server hosting the SQL server. I followed these steps found in this link:

  1. ALTER DATABASE MyDB SET SINGLE_USER WITH ROLLBACK IMMEDIATE

  2. ALTER DATABASE MyDB SET OFFLINE

  3. ALTER DATABASE MyDB MODIFY FILE (Name = MyDB, Filename = ‘N:\DATA\MyDB.MDF’)

  4. ALTER DATABASE MyDB SET ONLINE

  5. ALTER DATABASE MyDB SET MULTI_USER

How do I move SQL Server database files?

When I got to Step4, I got “Access Denied”. Unfortunately, my maintenance windows were very short and no time to troubleshoot. So I decided to drop the database and restored it using the WITH MOVE clause to place the DB files in the right directory. No issue.

My question is why did I get “Access Denied”? I didn’t change MSSQL service account. It’s the same account that ran the RESTORE.

Thanks

Should user input be validated/checked for it’s length in PHP (server side) as a security measure?

important to note that this user input is something that after validation & sanitation – will be inserted into a database, and later on be shown to other users on the same web site. (example: a forum) I’m referring to both a case when I know in advanced what’s the length I should expect from the user and a case in which I don’t but know vaguely that’s not more than 100 length. I’m trying to figure out if there is any security advantages for checking user input length in PHP. taking into account I’m already validation & sanitation user input based on the type of content I’m expecting using regex. I know this differs from language to language to I want to refer to PHP this time, but any referring to other language like Java, .NET, python etc. would be fine.

A central server with Data that will work as a virtual safe

The main implementation would be a dedicated Server with Data stored on it that will be shared like a drive and only authorised personal with the dedicated server IP and Account login info like a VPN net , while u can access the data not only from the lan u can also access it from the wan as well . So the question is , Do u have any suggestions to a company which is selling a software for this implementation and or is a AD server with RRAS with VPN Roles to make it by myself so i can control it all by myself ?