How to mirror user access between Windows 2016 Servers

I’m setting up an intranet web server that will handle requests coming form multiple different types of employees.

One of the request that my server will need to handle is to query data from a second server. The second server is hosted by a different team and has restrictions as to who can access their server (using windows authentications – usedefaultcredentials). My server does have access to query the second web server.

For the requests that require my server to do the querying I would like a method to emulate the validation criteria set by this second server.

Is there a way to: 1. Forward the received request (or part of) to the second server to see if they validate the user? or 2. Send a new request to the second server to ask if this user is validated? or 3. Create a connection between the servers that will maintain the set of authorized users so that my server can validate the request. This would need to done via automation for there is no chance that I can add a recurring task to other teams workload (Manually informing us of which user is now listed or unlisted is not a feasible solution).

I can request the other team to do small changes but there can’t be any big overhaul. Also it can only be one way (my server can’t have any way to manage/change permissions on the second server).

How to securely access oracle system user credentials from my installer

We have a installer that we have built using scripts. When we start the installer, it asks for the database system user and password, which it needs to create application users. We do not want the user doing the installation to know the system user password. Hence we are looking for ways in which installation can go through without sharing the system user password. Few things we have explored. Encrypting the system user password using an utility. This is not very feasible, considering that we have to embed the key in the installer, which is not obfuscated/encrypted(basically user can read it by opening it) Obfuscating the utility used for encryption and installer. This was ok, but it is still unsafe, as obfuscation itself is not fool proof.

Is there any other way , this can be handled. Is there an Oracle API, that we can use? Please suggest.

Would an anti-magic field block targets of Dragon’s Breath spell user?

Consider someone has dragon’s breath cast on them.

Until the spell ends, the creature can use an action to exhale energy of the chosen type in a 15-foot cone.

What happens if this creature exhale energy on targets inside an antimagic field?

Does the effect pass through as if it were a dragon’s breath weapon?

Should user input be validated/checked for it’s length in PHP (server side) as a security measure?

important to note that this user input is something that after validation & sanitation – will be inserted into a database, and later on be shown to other users on the same web site. (example: a forum) I’m referring to both a case when I know in advanced what’s the length I should expect from the user and a case in which I don’t but know vaguely that’s not more than 100 length. I’m trying to figure out if there is any security advantages for checking user input length in PHP. taking into account I’m already validation & sanitation user input based on the type of content I’m expecting using regex. I know this differs from language to language to I want to refer to PHP this time, but any referring to other language like Java, .NET, python etc. would be fine.

Best practice for requiring an “access code” before user can use app

To put things into context, we have an app that lets users earn money by just learning.

Because of this, we have to be quite strict about which users are allowed to sign up as we obviously have limited funds and we only want “authorized” users to be able to use the app.

We’ve created an access code system and previously we’d ask how they heard about the app and then after they select an option we ask them to enter an access code. It looked like this:

enter image description here

The problem we had with this implementation was:

  • Users got confused and would sometimes drop off.
  • Users who didn’t have an access code got confused why they couldn’t access the app and left bad reviews.

So, now we’re redesigning the flow, and our idea is to just have 1 textarea where they can enter their access code:

enter image description here

With this new design we’re hoping that it’ll be a lot more clear, and for the users that select that they don’t have an access code we’re thinking about letting them use the app without being able to earn money.

I’m wondering if all you experienced UX designers have come across an implementation like this before.

Any tips or advice would be great. Thank you.

Best way to authorize and authenticate a user on web API

I am doing a hypothetical web just for learn some security tips and the first problem I’ve found is the login, I’ve read like 40 articles, a lot of questions here on stackoverflow and I still don’t know which method is the best one (this is a non-real case, so we can assume we need a very high security)

most webs I’ve developed I use a expirable access token that I need to send on every call to the API via query param or via Authorization header, then I store the token on the local storage

I’ve read some articles that claims that way is unsecure and the best way is with cookies, I’ve read also that the best way is with sessions

Any hint? I’m a bit confused about which way is the best one to secure first the authentication and then the store of the access token to make the authorization

Why aren’t ZUIs (zoomable user interfaces) popular?

After reading Jef Raskin’s The Humane Interface it seems that ZUIs are a obvious paradigm choice to make easier interfaces. Apparently the original iPhone interface was a big investment in that direction with many ZUI patterns, although not considered 100% a ZUI.

Why are ZUIs not a popular UI paradigm / more common?

How can one tell if a binary is safe to give sudo permissions for to an untrusted user?

sudo is sometimes used to give untrusted or “semi-trusted” users the ability to perform certain tasks as root, while not giving them unlimited root access. This is usually done via an entry into /etc/sudoers, specifying which programs can be executed.

However, some programs may provide more (no pun intended) functionality than expected, such as more, less, man or find, which offer to execute other programs – most notably a shell.

Usually, which programs are safe to execute depends on knowledge of the sysadmin. Certain binaries like echo or cat are most likely safe (i.e. don’t allow the user to spawn a shell), while others like the examples above are known to be exploitable.

Is there a way to assess with reasonable confidence whether or not an executable is “safe” when given sudo permissions for? Or is the only way a comprehensive source-code audit?

In response to cat not being safe: Yes, it can be used to read sensitive files as root. In some setups, this may be the intended use-case (e.g. a limited user being able to read as root, but not write).

Furthermore, comments or answers explaining to me that sudo is not the correct way to grant read permissions like this: I know. I am absolutely aware how a file-system should be structured, but due to the nature of my work, I can’t influence how file-systems are structured on those servers. All I can do is to see which recommendation fixes the immediate problem. So please, don’t challenge the frame of the question. I don’t have an XY-problem.

Is it safe to run a Kubernetes container as a root user? [on hold]

I run my Spring Boot (Java) application in the Kubernetes environment as a root user and with JMX authentication turned on.

My k8s containers are being flagged as a security risk by the security professionals in my company. Is it really a security risk or just plain old housekeeping?

Will it make a difference if the JMX is unauthenticated?

P.S. I’ve asked this question in Stack Overflow but didn’t get a response that I was looking for.