Not sure if there is another thread with the answer, but tried looking and nothing stood out.
Our company runs Windows Server 2008 R2 and as part of the normal login procedure you type your username and password. IT sets the domain when you get your PC so that is all good. So, when you open IE, the intranet sight detects that you are person XXX YYY and then logs you into the site automatically as the right person.
Now is there any way that I can do the same with an application written in C# or VB.NET. I.e., I would like the user to not have to log in as they have already done so during Windows log in, and then use the application as the indicidual user. This is for loggin purposes and specific rights for each group. (like admins or guests etc)
You can use Environment.UserName to get the username of the current user, but you will still need to store some permissions pertaining to this user somewhere.
You can make people a member of an Active Directory group and then grant them permissions based on which group they are a member of but this will require that you (or your application) has the ability to create AD groups and move people in and out of them. If you need some pointers to this then I can find some code.
Related
I am writing a C# winform and trying to get a list of computers in a domain from one user account using active Directory (AD) but I can't seem to figure it out.
Any guidance or samples would be much appreciated.
Thanks
JPL
The only way AD can enforce this is with the list of machines a user is allowed to logon to, which is an attribute of the user, not the computer. It's a legacy feature and probably not what you're expecting.
In practice, computers define who can logon to them based on a number of security rights, e.g. Allow Logon Locally, Allow Logon via Remote Desktop, etc. You would need to query each computer to find out what users/groups are in those rights, and then compare that to the user's token to see if there's a match.
... I want to grant a user temporary administrator privileges via a c# tool. Therefore i add the user to the administrator user group (a background service running under a priviledged service account does this job). However the changes take effect only in new sessions (after Logout/Re-Login) which is inconvenient. Is there a way to refresh the current user profile?
I tried several ways:
via .net Process.Start with the LoadUserProfile property set to true.
The next try was via the LoadUserProfile Win32 Api function.
Another way was to impersonate the user with .net Impersonation
All these tries did not recognize the privilege changes. It seems to me that there is a cached user profile which contains the old privileges and is reloaded anytime.
The only way where a new profile was loaded is the runas command, however we do not want the user to play around with the command line, it should be possible to do this from .net
Would be great if there is another option? Maybe there is a tool which can do this?
Ok, I relog-in the user and then I use the new Token in combination with e.g. CreateProcessAsUser to run a new process using the new token. Is there a way to assign the current windows environment the new token and therefore all actions the user performs in windows use this new token? Otherwise I could use some other tools like lsrunas to open a process in a new context and avoid the winapi calls.
From our perspective we trust the user (it is his private notebook), he can install the software he wants (for a temporary time), but we document each installation with our tool. We are running a service with local admin account in background which manages the group assignment and system documentation.
When logging on to Windows a security token is created, where all group memberships (including nested memberships) are resolved. The token contains a list of SIDs (Security Identifiers) that the user belongs to. The first SID is the user's own ID and then any groups and roles (such as interactive log on, everyone etc) are included. This means that group membership doesn not have to be looked up against the user DB - possibly an Active Directory Server - each time an access control is done. Instead the ACL (Access Control List) of the object (e.g. a file) is checked against the token.
To refresh the group membership you need to have a new token created. Either you can log out and then log in again as you describe it, or you have to do another login with LogonUser for the same user. That function is not accessible for normal user however.
I think that it all boils down to finding another design. Adding and removing a user from the admin group dynamically looks strange from a security perspective. Is there any other way you can give the user access to the resources needed? Can you do the actual work from within a Windows Service that runs under the LocalSystem account?
HI am interested in obtaining getting the Enviroment.UserName in a Wpf Browser application.
But I have run into a SecurityException. What changes should I make obtain the enviroment variables.
Update:
the application is run on my company intranet.
The Environment.UserName property getter asks for a demand on the EnvironmentPermission.Read permission. Yeah, that's going to blow in a sand-boxed environment such as created to run code securely inside a browser. A web app has no business obtaining privileged information such as the user name. It is half-way to being able to crack the user's login credentials, albeit that the password would be a bit harder to guess.
No can do, if you want the user to reveal her user name then you are going to have to ask her politely. And do make sure that's a name that you provide, don't expect her to reveal the name she uses to logon to her machine.
The basic setup is classic - you're creating a Windows Forms application that connects to a DB and does all kinds of enterprise-y stuff. Naturally, such an application will have many users with different access rights in the DB, and each with their own login name and password.
So how do you implement this? One way is to create a DB login for every application user, but that's a pretty serious thing to do, which even requires admin rights on the DB server, etc. If the DB server hosts several applications, the admins are quite likely not to be happy with this.
In the web world typically one creates his own "Users" table which contains all the necessary info, and uses one fixed DB login for all interaction. That is all nice for a web app, but a windows forms can't hide this master login information, negating security altogether. (It can try to hide, but all such attempts are easily broken with a bit of effort).
So... is there some middle way? Perhaps logging in with a fixed login, and then elevating priviledges from a special stored procedure which checks the username and password?
Added: OK, so integrated authentication and windows groups seem to be a fair choice in most situations, so I accepted the relevant answer. Still, if anyone can come up with a non-integrated authentication solution, they'll get an upvote from me.
For WinForms use Windows groups. No passwords are needed because the credentials are inferred from the Windows login using your application.
This is best practice
Basically:
The user belongs to a group (assumes single domain)
Group is a login in the SQL Instance
SQL login maps to a database user
DB User belongs to a DB role
Role has object permissions
It's worth reading up first before having someone try to capture all the information here
Edit:
If you have a workgroup, you can still do it by setting up sqlbox\bob, sqlbox\hans etc in a sqlbox local group.
When someone tries to connect (say bob on his PC) windows will ask them for their details. As long as bob knows his SQLbox account detailsm he can connect.
But then, I've not tried this in a workgroup setting...
In addition to using Windows Domain/AD Groups (put the AD groups in appropriate roles you create in SQL Server, so all account maintenance moves to AD), be sure to use the Application Name in your connection string - this allows you to see which applications are performing operations in the profiler etc.
Because when everyone is logging on as themselves from different applications - windows and web, it helps to know that it's actions taking place through an application and not just any user's ad hoc query through ODBC and Excel, say (if you allow users access to certain views for data export or report writing).
Can't you use Active Directory Groups to make the management of the db connections easier?
From MSDN...
The name can be a Windows user name or a Windows group name, of the form DOMAIN\Name.
That way you may have a few groups, read-only, editor, manager, admin etc. It's how I have achieved similar things in that past with Click-Once apps.
It really is the best choice for what you are doing.
I am assuming this is an existing app? If it was new I would otherwise say to go client server with web-services or similar.
PK :-)
With regards to wanting to hide your authentication and use a single application login with WinForms, if the login has very little privilege - select only on views and execute only on stored procedures, anyone who manages to reverse engineer your encryption of the login information in your application will only be able to perform the same functions they could perform in your application. If you absolutely have to raise the level on the security, you could authenticate each stored proc against your users table (poassing user and hash to each SP). Also, rotate the central application login on a regular basis.
All this is a lot more difficult than using integrated authentication and implementing AD platform in your environment. So you're effectively writing your own directory and authentication instead of using one off the shelf.
In addition to gbn's update about workgroup versus domain, you can run the application with RUNAS /NETONLY /USER:SERVER\USER with user credentials on the domain or server which your machine is not a member of. At the point that the application makes the connection to the database, the remote credentials will be authenticated and used. I have an application which actually checks to see how it was run and if it not run with a particular switch, it prompts for username and password and then re-runs itself using the Windows API using a function equivalent to RUNAS /NETONLY /USER:DOMAIN\USER. This is because our workstations are not currently on the domain (or on a domain with a trust relationship) of the SQL Server. In this case, you could still manage the security in local groups on the SQL Server or groups on the domain of the SQL Server. You would basically just lose out on the automated authentication token.
ok i have my GUI installed on the server which has users as administrator as the role of an administrators and user1 which has the role of the guest...
I have one project and there are different pages for administrators and guests... when the login screen comes up and the administrator logs in he should be redirected to the admin.aspx page and for user1 he should be redirected to the guest.aspx page.
Now the scenario is i have 10 users in a company and one administrator. This GUI is on the network server and these 10 users are able to access it as guests.
How do the guest user logs in and can access the SQl database in the read only mode but when the administrator user logs in he can access the database in the read and write mode.?? I dont know how to do this really... any suggestions
(by IIS server or webconfig or some setting in SQL server)
and the previous question is what to use (forms or windows authentication) where can i get information on how to set up this kind of authentication???? Is there the need to use impersonation also??
I know this isn't directly answering your question, but unless you are letting your users (and administrators) write their own queries (which you should never do BTW!) it shouldn't matter.
Users should only have access to options that allow them to read data from the database, not update that data. If they do then it's bad UI design.
You should make sure that the account that "Users" use only has read access - do this from Management Studio. Connect to you server and expand Security > Logins in the Object Explorer. Right click and select New Login... fill out the form - select "SQL Server authentication". You can then grant and deny access to the relevant parts of your database. Check the SQL Server documentation for more details.
What do you mean when you say your GUI is installed...?
This might be something that's tied into your CODE (if guest then don't allow writes, etc).
You might use two different accounts for DB access depending on the user if you'd like to.