Sunday, 17 March 2013

Web.py, Lighttpd and FastCGI

 

Following the instructions from http://webpy.org/install and http://webpy.org/docs/0.3/tutorial I had setup Lighttpd.

However, when running the demo code the following error was received

 

2013-03-17 23:04:19: (mod_fastcgi.c.1490) released proc: pid: 8806 socket: unix:/var/tmp/lighttpd/fastcgi.socket-0 load: 0
2013-03-17 23:14:50: (mod_fastcgi.c.1732) connect failed: Connection refused on unix:/var/tmp/lighttpd/fastcgi.socket-0
2013-03-17 23:14:50: (mod_fastcgi.c.454) backend disabled for 1 seconds
2013-03-17 23:14:50: (mod_fastcgi.c.3002) backend died; we'll disable it for 1 seconds and send the request to another backend instead: reconnects: 0 load: 1

Checking the script showed that it was working correctly and no useful information was appearing in error.log

The following config option was then added to lighttpd.conf

server.breakagelog          = "/var/log/lighttpd/breakage.log"

This gives the much more useful

Traceback (most recent call last):
  File "/var/www/code.py", line 16, in <module>
    app.run()
  File "/usr/local/lib/python2.7/dist-packages/web.py-0.37-py2.7.egg/web/application.py", line 313, in run
    return wsgi.runwsgi(self.wsgifunc(*middleware))
  File "/usr/local/lib/python2.7/dist-packages/web.py-0.37-py2.7.egg/web/wsgi.py", line 35, in runwsgi
    return runfcgi(func, None)
  File "/usr/local/lib/python2.7/dist-packages/web.py-0.37-py2.7.egg/web/wsgi.py", line 16, in runfcgi
    import flup.server.fcgi as flups
ImportError: No module named flup.server.fcgi

This was unexpected as I had already used easy_install to install flup, but upon checking could find no evidence of it being installed

The latest egg was downloaded from https://pypi.python.org/pypi/flup and installed using easy_install.

The installation process was then checked by making sure flup could be imported.

Friday, 8 February 2013

Windows Event Log Permisions & SQL Server Command Proxies

The following problem outlined in this entry is a relatively common situation but when searching for a solution there was not a single definitive guide for what I needed. This post is based on information in the following articles.
Jag Padda's Blog - Event Log Permissions
Washington University - Understanding SDDL Syntax
Microsoft – KB323076
Window Security – WEVTUTIL
Database Journal - Proxy Accounts in SQL Server
The following was written and tested against SQL Server 2008R2 and Windows Server 2008R2.
Background
You are in the envious position of being both the DBA and Windows administrator for a company and are given the task of integrating a third party application into your estate. The application consists of a database, a middle tier component running as a service and a client which runs on the user computers. In addition to this the application has multiple utility programs responsible for importing/exporting data, initiating summarisation routines.
This means in addition to the core service there are SQL Server Agent jobs calling out to a variety of programs, batch files and scripts. These additional programs either access the database through the middle tier or connect directly to the database, where they connect directly to the database the connection string is managed with a UDL file. In an effort to improve security windows authentication will be used rather than storing credentials in a text file.
Configuring Proxies.
For programs called by SQL Server agent we are going to use a proxy account to limit the permissions needed (SQL Server Agent is already running under a separate Managed Service Account).
First create the cmdshell proxy account which is needed to allow a non system admin account to run xp_cmdshell
EXEC sp_xp_cmdshell_proxy_account 'Domain\User', 'PASSWORD;
This results in the creation of the credential ##xp_cmdshell_proxy_account## which can now be assigned to the Operating System (CmdExec) Proxy
EXEC msdb.dbo.sp_add_proxy @proxy_name=N'CommandShell',@credential_name=N'##xp_cmdshell_proxy_account##', @enabled=1
EXEC msdb.dbo.sp_grant_proxy_to_subsystem @proxy_name=N'CommandShell', @subsystem_id=3 

EXEC msdb.dbo.sp_grant_login_to_proxy @proxy_name=N'CommandShell', @login_name=N'DOMAIN\USER'



In this case I have named the proxy CommandShell so when calling sp_add_jobstep the parameter @proxy_name would be CommandShell
The user account used for the proxy was then removed from the users group in active directory and given access only to the directories necessary for implementation.
Finally the permissions at the database level were set to deny everything apart from those functions which were necessary.
Configuring Event Log
Some of the external programs being called through the Command Shell Proxy were attempting to write to the Application event log by calling EventLog.WriteEntry which was failing. Clearly granting many additional permissions to the proxy account would be defeating the purpose of the earlier security work so it was necessary to only allow the Application event log to be accessible.
Firstly identify the SID of the user account by using powershell

Import-Module ActiveDirectory
$user= New-Object System.Security.Principal.NTAccount("DOMAIN_NAME", "USER_NAME")
$sid= $user.Translate([System.Security.Principal.SecurityIdentifier])
$sid.Value


This will give you the security ID of the domain user (in this case S-1-5-21-96566445-2708948433-2759571698-1113)

The next step is to use wevtutil (Windows Event Utility) to get the ChannelAccess (CA) value for the Application log.

wevtutil gl Application

This gives the output

name: Application
enabled: true
type: Admin
owningPublisher:
isolation: Application
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\Application.evtx
  retention: false
  autoBackup: false
  maxSize: 20971520
publishing:
  fileMax: 1


The important bit is the channel access value O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

TokenMeaning
O:BAOwner: Built-in administrators
G:SYGroup: Local system
(A;;0x3;;;IU)Access Allowed, Read/Write for Interactive Users


In this case we want to add an extra block for our account

(A;;0x3;;;S-1-5-21-96566445-2708948433-2759571698-1113)

This will give read/write permission for the SID

To apply this you would execute

wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-21-96566445-2708948433-2759571698-1113)

If you wanted to simplify it and make it for all Authorised Users it would be

wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;AU)

Now under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application you have the new key CustomerSD

image