May be it is dublicate of get Unique info for a machine in asp.net. But I need your other ideas for this.
Firstly let me try to explain my opinion:
I want to bind my system's user to his machine. When Admin creates a user in user role, he takes user's machine details (mac address, hardware information etc.) and when user tries to login, we check he is on valid machine or not.
With ASP.NET we can get only client values like Machine name, IP Address. But this values are changable.
How can I solve this issue? Or is there any way to get client's hardware information with ASP.NET?
For what it's worth, I would suggest not using MAC address as it can be easily spoofed and only ties you to the network interface, if you're user switches between wifi and wired, they would be dropped. Also, some devices - such as iPhone - are not rotating MAC addresses behind the scenes.
Can the same be achieved using a cookie - admittedly the user can delete these and will need to be reassigned, so depends how much of an issue that would be for you.
Otherwise, the only solution I have seen relies on a plugin for the user, such as Flash.
Related
I've been asked to write a C# application to run on a Windows 7 machine to display the time of day, weather, etc.. That I can do. What I'm looking for is guidance to run the application on a Windows7 machine without logging as a user. In essence the machine would simply be a CPU with a screen. No keyboard or mouse. I've seen deployments done on MS-PixelSense (use to be MS-Surface) using a service ID.
If I need to signin, user policies kick in, screen savers enable, etc.. I'm assuming if I use an automatic Service ID, I can let the application override most of the settings keeping the screen on and needed privileges assigned / locked down to the service ID.
Any information / suggestions are appreciated....
First, some background informations:
Accessing a network share
If a process running on your client wants to access a (CIFS) share, it has to be run under a user account (or "Service ID") which has access rights to this share. There is a way (if the client is a member of Active Directory) that the machine name appended with $ (which is in fact the machine account’s name in AD) has to be entered in the ACL (Share / NTFS), but this is not a very "usual" way.
See also https://serverfault.com/questions/41130/network-service-account-accessing-a-folder-share
Windows Service running under a user account (aka technical account or Service ID)
A service running under a user account cannot access the GUI. There are some tricks, and some years ago I wrote a tool which allows a service to start another GUI program, where the GUI is displayed above the Ctrl-Alt-Del dialog. But this does not work under Windows 7 anymore.
But even a service which runs under local system cannot display a GUI on the logon screen.
You would have to write a Credential Provider.
See
Windows service showing a GUI when no user is logged in
https://stackoverflow.com/a/3074040/4547223
Another very deep technically article. It says it is possible to display a GUI on the secure desktop / logon screen. I have not yet tested this myself:
http://calebdelnay.com/blog/2012/01/displaying-a-program-on-the-windows-secure-desktop
Autologon
The most well known way is still the "classic" autologin.
See https://security.stackexchange.com/questions/10170/how-secure-is-windows-auto-logon for some explanations and links.
The medium secure way is to store the password as LSA secret (can be done in C# with P/Invoke or with some tools).
If I need to signin, user policies kick in, screen savers enable, etc.
Yes, but this can be handled, you probably have to create an own AD OU with an own policy for that.
I'm assuming if I use an automatic Service ID, I can let the application override most of the settings keeping the screen on and needed privileges assigned / locked down to the service ID.
A service ID /technical account is basically the same as a normal personal user account.
In some Active Directory enterprise environments a technical account has restrictions that it cannot log on interactively and other restrictions. But it still IS a "user account"
Logonexpert (http://www.logonexpert.com/)
I tested this (trial version). It is a nice, small tool which does it’s job. It is more safe than "normal autologon", however in the end, it is not much different from normal classic autologon. One benefit: it stores the password more recurely, but in theory, some hacker may still decompile the program and find out a way to decrypt it. And more important for you: Beside the more safe password store, it does not gain you much. You still have a user login same as normal autologon.
A few suggestions
Probably you can use a local user account on the client system and use normal autologon mechanism. And then you should consider that the client system does not poll for new data on a network share, but instead another server program (implemented as a service, running under a technical domain account) pushes data on a network share on the client.
Doing it this way, the client code does not need to access network shares, with the benefit, that a malicious attacker also has no access to network shares.
If you really need to access a network share from the local user context, you can probably logon to the server, as explained in my answer here:
https://stackoverflow.com/a/28749093/4547223
You have to to change the registry code part with the access to the CIFS share.
But doing it this way, you again have a password, which you have to encrypt and store. I do not recommend this.
In the end...
Windows does not make it easy what you want to do. If you are not strictly bound to Windows, you can consider using a Raspberry Pi with Raspbian (a Debian derived Linux). You can install Chromium browser, which displays a web page on the server and updates automatically. We use this with great success for some time.
I have created a Labor/Time Keeping application that is used for the Construction industry, and it consists of a WinForms Client where employees actually clock in and out, a WCF web service that fields the clock in and out events and provides data to the clients, and a back-end WinForms piece for Configuration, Administration and Reporting. This is all .NET with C#.
I'm looking to also write an ASP.NET Web Client to make it more flexible, with the intent that this will be used from tablets and/or cell phones from the field.
So, now that the background is out of the way, here's a requirement that I'm trying to figure out the best way to accomplish.
I don't want employees to be able to just clock in and out from their house, or from their personal phones; they should be clocking in/out with a company owned device that the Foreman keeps in his truck for that specific purpose. At the same time, I want logging in to the web app to be as simple as entering a 4 digit pin number and clicking either Clock IN or Clock OUT (no offense to the construction industy's employees, but there are some who literally have trouble trying to type in a username and password on a mobile device).
What is the best way to limit access to this web client to some specific set authorized of devices? I've considered trying to MAC Address filter, and I read about using client certificates to limit which devices could access the web service, but is there any better way? I mean, couldn't a client certificate just be copied to someone's personal phone if you get that rare concrete finisher who happens to be a nerd and know how to get it off of the company's device?
Is there any other way from a web app that you can uniquely identify a device and match it up with a list of authorized devices?
In ASP.net you can't take the MAC address of client's network adapter. Because of that, you can not count on defining a white list of MAC addresses for 'valid' devices. But you can use some other tricks alternatively:
1- You can find out the IP address of your client devices and limit them if they are not authorized from your side.
2- You can Also detect OS, computer name and browser name and screen resolution and you may utilize them in this case.
3- You can keep a flag of how many cookies have you been set for a specific user and control in this way.
4- You may use Windows authentication to prevent your users from a form-based authentication (of course if your network is active directory based)
So in the past I have always developed windows forms client software while inside the work network, we went on the lazy rule that no external hardware is allowed on site, nobody can tamper with the hardware so software was always going to be run within the network which were all joined, this allowed me to lazily set the context as follows:
WindowsPrincipal wp = new WindowsPrincipal(WindowsIdentity.GetCurrent());
Thread.CurrentPrincipal = wp;
So now I have been asked to write an application which is going to be running on sales-rep laptops. I can't 100% guarantee that they don't take that software and run on their home PC and have it "pretend joined" to a network. I know I can detect what network name they might be joined to, but what is the correct approach for guaranteeing that the network IS in fact OUR network? Is there some sort of fingerprint I can embed inside the application itself for determining if the network is our work network?
Gosh, that's what you meant. Head meets table in my place.
What you need is a License-Server. You're obviously describing a company license situation! Do you have an MSSQL-Server in your network?
Create a User like your_program_nameLCU (license check user)
Create a database where the user has read access
Create a Try-Catch for the situation when the database is not accessable
Obviously he's not in your network so shut down the program!
Addition to that:
It work's very well with VPN! And I guess that's what needed too!
If it is just a basic network name check you want you can just use the identity name (WindowsIdentity.GetCurrent().Name) which should contain DOMAIN\username. Once you have that plenty of ways to split the strnig and retrieve the DOMAIN name (see Built-in helper to parse User.Identity.Name into Domain\Username).
As wegginho mentioned in the comments though someone could theoretically set their network name to the same network.
We have a windows application (C# .net) and we'll be giving installers to client. The requirement is that once the application has been installed , user should not be able to edit the system time/date . This is to make sure that the application generated dates/reports are not manipulated.
My target OS is Win-XP
What is the best way to do that ?
Does OS provide any facility to do that ?
Client machine is a stand alone machine and is not on any network.
Thanks in Advance
As said here already, you can use group policies, but they are easily circumvented. Also, your customers may react hostile (rightfully so) if your app does that. Still, in case your application is in a closed network, talk to the sysadmin and get it rolled out as a policy.
If you really need a trusted time source, then do so: Write a Web Service or use an existing NTP Service that your application contacts and use the time returned by that trusted service. Then use signing techniques to prevent tampering with the reports afterwards.
Downside: you need internet access. Possibility is to have the client setup a NTP Server within their network (AFAIK Windows Domain Controllers can do that automatically?) and use that, but then the client can again tamper with it.
But bottom line is: Contact a webservice to make tampering hard or use group policies to make tampering easy. Making tampering impossible isn't possible anyway.
That sounds more like a server-fault question; I wonder if "group policy" is the way to do that on a per-machine basis;
However - for a programming answer - why not get the time from a central server when your app starts? Calculate the offset from the local time and apply that throughout your app.
If security needs to be tight you may need to sign the response from the server to prevent spoofing (in particular via "hosts" etc).
You block this by changing Windows Policy. You can either do this from Active Directory (Group Policy) or by manipulating the local seurity policy.
See link: http://www.sevenforums.com/tutorials/113557-date-time-allow-prevent-users-groups-changing.html
But I would rather recommend that you check time with an online server instead. Preventing such a thing for users may give them big problems if their BIOS resets or something.
I don't think that is possible because that is related to group policy rather than your application changing any system settings which will prevent users from changing system date time. Go through these it might come of use -
If XP Pro, use the Group Policy Editor to create fine-grained
permissions.Start>Run gpedit.msc [enter]
If XP Home, look at Doug Knox's Security Console and see if it will do
the job for you: http://www.dougknox.com
No, you can't prevent a basic OS function like this (aside from a group policy...but not programmatically, especially if the users had admin permissions). If you could do this programmatically, it could easily be exploited for mis-use (changing the time and breaking Kerberos authentication for example).
Only through Domain policy - admins must prevent the user not to mess with the time.
Windows 2008 has an option to sync time with internet.
Alternative is that you create a web service that your app could access through internet and get the non-modified time.
You need to implement local or group policy for that. I don't know if you can easily manipulate it from C#.
Assuming these machines are not actually under your administrative control then clearly you can't do this. But an alternative would be to get the time used to generate your timestamps from an external web service, you could use some sort of encryption to access the service to ensure the client can't tamper with the result en-route.
What i want is :
There is one windows app ( made in .NET 3.5, VS2008, C# ) for Windows XP SP2 & SP3
generally users can change there IP or modify their IP Address.
Now,when my apps starts i dont want users to change there IP Address untill my app stops.
Hope now question would be clear.
Need your advice soon.
Recommend solution in C# .NET or VB.NET only.
generally users can change there IP or modify their IP Address.
No they don't, it is a very privileged operation. An administrator account is necessary. On Vista and Win7 the UAC prompt has to be acknowledged. Preventing an admin from administering the machine is a lost cause and in general a hostile act. And pointless, the admin has all the required powers to kill your app.
Fix the real problem. The days that you could count on having your app run with an admin account are long gone. Anybody that runs Vista or Win7 is quickly going to uninstall your app.
I don't think there is much you can do to temporarily prevent users from changing their IP addresses.
On most machines the IP address is controlled by the DHCP server. If this server decides you need to change IP address, you have to follow or your connection is closed.
Administrators can change the IP address, you could remove a user from the admin group (but that does not prevent point 1). But that should mean you have a controlled user base (in an enterprise), and you should be allowed to do that. (And how are you going to put them back into the admin group if they are not an admin)?
Maybe the design of your application is wrong, if it depends on always having the same IP address. Or you should mention it in the "requirements".
For example: for un-interrupted "action", P2P clients (like Bittorrent) depend on having the same IP address, but they do not enforcing this.
I don't think you can block the access, but you can monitor the IP address, and when it changes you can roll it back to the old IP using WMI.