I want to put restriction like certain Regions, Cities and Countries should not be able to access my website. I came across some concept like GeoFencing, but I guess that can only be implemented on Windows Phones Or Windows 10. I came across few free APIs that would return me my client's location details.
I am working with Visual Studio 2015.
I also came across HTML5 GoeLocation, it is will ask user for permission to allow website to know his/her location; which is not good enough for me.
I want to know, what are other better choices or solutions we can look into?
Also, since I am using IIS server for deployment, can I use .htaccess in my case?
I have came across this IPSecurity configuration at server level. Is this a viable option? Has anyone tried it?
TIA
There are things you can try to do to find out the location of the user.
As you already found you can request their location from their browser, but that requires asking their permission, and it can be unreliable.
The location can be manually set, and in the case of desktop computers it's unlikely the computer has a GPS attached to provide a good location.
Another option is to look up thier IP in a geoip database: GeoIP2 City Database Demo
There does appear to be a GeoIP module for IIS 7+, but I haven't tried it personally: IIS7 Geoblock Module
But, these methods are unreliable and can give indeterminate, or even flat out wrong results.
The user can decline to provide their browser location, or the user can set their browser location to be the other side of the world.
And what IP is the user using? What about if they use a VPN? Now you have the geolocation for the VPNs IP.
The real answer is that you can't reliably find out where the end user is.
.htaccess
.htaccess is one of the ways Apache allows configuring security.
IIS uses different configuration methods.
Both IIS and Apache require 3rd party modules to restrict access based on geolocation, it's not something provided as standard.
Related
I have a single solution with multiple C# ASP.NET Web Forms projects. I want a way to identify a given browser so that each website can identifier that same browser. I need to do this from the C# Code-Behind code (not with the client code, like JavaScript). I also cannot use the Session because it isn't shared across websites. I don't think cookies are either.
For example, if a user logs onto Website1 and then logs onto Website2 with the same browser on the same computer, I want to be able to identify that. But if a user logs onto Website1 with Chrome and then Website1 with FireFox (regardless of whether it's on the same computer or not), I want to detect that as well.
If it makes any difference, I am using Azure to publish my web projects. So all websites will have similar domains (eg website1.azurewebsites.net and website2.azurewebsites.net).
If you want to track someone using the same browser on the same computer then use a cookie. If the websites have different domains you'll need to be clever because modern browsers have a lot of protection against what they see as tracking cookies. One option is using a hidden interstitial page as described here.
Your second scenario, a user accessing same site with different browsers, I suggest storing the user agent string (one of the request headers) and adding this to a login audit so you can build up a collection of different user agents used by a given user. There are libraries available for parsing user agent strings and extracting name, version, engine etc.
Between these two techniques and a bit of business logic you should get what you need. If you would like me to clarify any of this, let me know and I'll provide more detail.
Is anybody knows how to share cookies between 2 windows users?
I have a Windows 10, where have 2 users: one is admin and second is operator.
Admin is logged in into the system and then goes to the web site, where setup some config. In this config we have some specific value which should be store locally in machine and operator shouldn't know nothing about it. So he is set some kookie { someKey: someValue } and then log out from Windows.
After this operator log in into Windows and open the same website and he should have access to this cookie { someKey: someValue }.
I search around we and found nothing about it. Found only solutions about save to file system, send via tokens and save MAC address with a value into DB. But this is not suitable for me. I know that share cookies and store locally isn't secure, but need to implement that feature.
Web project based on chrome browser, asp.net mvc, angularjs and ms sql for db storage. Is anybody can help me with this issue about cookies?
There is no way to do this. First, every browser has its own way to store and retrieve cookies. It is impossible to write something that will work for any platform and any version.
Second, there is security. You can't just copy some files and expect this to work. Browser developers aren't stupid to leave such a big security loophole in their software.
You are mixing Windows applications with full control over the system with a web application that only resides within the browser. You should find a better way. You could use a certificate installed on the machine to validate the user, but it seems to me there are better options, like simply logging in, etc.
Cookies are a browser component that all major browsers locate in user specific directories. if you could change it to HTML5 storage API and you could setup the storage to a folder both users have access (dunno about this). You could have client side shared data. Most probably, you could not. And certainly not using cookies.
Disclaimer: I havent used storage API
Edit: Just checked. Storage API does store the data un user specific folders, so cannot use it either.
"In practice, "client-side storage" means data is passed to the browser's storage API, which saves it on the local device in the same area as it stores other user-specific information, e.g. preferences and cache. Beyond saving data, the APIs let you retrieve data, and in some cases, perform searches and batch manipulations." Source: https://www.html5rocks.com/en/tutorials/offline/storage/
We have a developer debugging tool to help manipulate security section of a database that our product depends on. This tool's purpose is to inject state into database to reduce time to create test scenarios. The database is not typical database that one can manipulate using sql. Rather it is a binary file that only our tool can manipulate. This is a C# application.
If this tool goes outside our company (say someone emailed it to a customer who shared it somewhere public), that could open lot of security issues.
We like to build intelligence into this tool so that it is usable within company or at partners network with whom we shared the tool. We have no knowledge of partner's network.
I am wondering what the suggested ways of implementing it?
Like:
Ping company active directory server or exchange server. Allow the tool usage if you can reach one of these servers.
Package a certificate with the tool that expires a month from build date. Always check if the cert expired or not before allowing usage of the tool.
Modification of (2). Make every user to request a key to unlock the tool after specific date.
Before we go implement a solution, I am wondering if there is already a library that does this.
Thanks
Assuming you host "file" inside your organization and all parties just access it somehow. If you give both data and tools to modify it to external partners there is nothing really to stop them to modify data as they pleased (short of legal/administrative actions but that is outside of SO scope).
There is also really not much you can do to protect code running on user's machine irrespective if it is C# or native compiled code. .Net code is a bit easier to modify/bypass protections but if you concerned about securing access to a file you need to protect files/servers rather than worry about client side code.
Usual solution to such problem - authentication and authorization: only allow authenticated users to access the file and only accept changes from authorized users.
If you use file based storage than inside your organization regular Windows domain accounts would work for authentication and regular file system permissions would work for authorization.
For outside partners you probably would need server to perform modification of the file(s) and authentication/authorization possibly using ADFS or Oauth.
Hi I am working on a project and need to get the type of logon for each user on the domain. By type I mean if the user connected to our domain via their phone to check e-mail, or if they are on a laptop and connected through a VPN, or just the plain desktop authentication.
I need this because we have a policy here that a person who has not logged on in over 10 days must be disabled. I am not seeing anything obvious on the MSDN site, nor anything relevant in any posts.
any help would be greatly appreciated. I am looking to do this in C#, as I already have a few other class libraries in C# doing some other AD functions and want to just add this into that solution.
thanks.
I have found this CodeProject article that describes almost everything you can do with windows user, including getting domain information.
Howto: (Almost) Everything In Active Directory via C#
Assuming you've already got the logon, browser could give you device information.
I would think that a browser check might be the way to go. Any interaction on the part of your users could then be used to directly confirm which machine they are using, be it iPhone, Android, WindowPhone, or standard computer. You'd have to code that with a little JS but it would allow you to very simply add that to any logs.
Simple way can be found here http://www.w3schools.com/js/js_window_navigator.asp but a perhaps better way would be with object detection, which would find browser by directly testing for certain features.
I want to build a page for end users to visit (in our MPLS Network) and it show the following information in regards to them:
Computer Name
OS
Disk Space
Memory
IP Address
Active Directory User Name
Password Expiration Time (As defined by Global Policy)
Maybe a few other things such as Trend Micro Office current version vs. their version, # of MS Updates needed (we utilize WSUS), and a few other things in the future.
My question is how would I pull this information from the user when they visit the page? What is the proper function for this? Anyone have examples they wish to share for me to learn by if possible?
You won't be able to show all of this using C#. C# is a server side language and therefore, only has access to that information relative to the server it's being hosted on. You might be able to access this information from a java applet that runs on the page in the user's browser, but I'm not sure. There are usually security restrictions involved.
If you allow your web page to gather all this information about your users, what's to stop some other web page from doing the same?
So it's in an intranet only? You could use the client computers IP address (as reported by the Request.UserHostAddress) and then query your domain controller for the information (via the DomainController class and the collections/methods it exposes).
Most of the information you're after will be available via the Domain Controller, and some of the others can be retrieved by using remote performance counters (for example, you could query for free disk space using the LogicalDisk\% Free Space counter).
You cannot do this without writing a browser plug-in or a java applet.
The information is not available through javascript, and it's not in the headers sent by the browser. This is by design, for security reasons.
Edit This answer only applies to public pages; I see from subsequent comments that it will be intranet-only.
You might want to look at XAML Browser Applications (XBAP). It's similar in a way to Silverlight except you get the advantages of the full .Net framework. To be able to access some local resources you would need to use the trust mode as explained below.
WPF XAML Browser Applications Overview
Creating a Full Trust .xbap Application