|
Hi,
I have an application that needs to behave differently depending on the user running the application. (I.e. I need to block the admin functions from general users)
The app uses a SQL server database. Is it safe to store the windows user's SSID along with their permissions/restrictions and then use WindowsIdentity.GetCurrent().User.Value and compare this with the values stored in the database when the app is run to do my restrictions?
(User's don't have permissions to write to the database, so there's no risk of a user changing their own settings)
I'm making the assumption here that it's not possible to change windows user SSIDs. Would it be safer to hash the SSID before storing it and compare that instead?
What about the risk of someone changing the in memory value of the current user's SSID after it is loaded, but before it is hashed and compared to the stored value?
What should I be doing instead of this to restrict what different users can do.
Many thanks,
Simon
|
|
|
|
|
Simon Stevens wrote: The app uses a SQL server database. Is it safe to store the windows user's SSID along with their permissions/restrictions and then use WindowsIdentity.GetCurrent().User.Value and compare this with the values stored in the database when the app is run to do my restrictions?
Why not just the user name? Why make things more difficult for yourself.
Simon Stevens wrote: Would it be safer to hash the SSID before storing it and compare that instead?
You would do this for a password. Not an identifier.
Simon Stevens wrote: What about the risk of someone changing the in memory value of the current user's SSID after it is loaded, but before it is hashed and compared to the stored value?
I don't know your users. Do you think they have that level of technical expertise? I know I don't (although I could find out, I suppose).
|
|
|
|
|
Colin Angus Mackay wrote: Why not just the user name? Why make things more difficult for yourself.
No real reason, Id just came to mind first, also, can't user names be changed?
Colin Angus Mackay wrote: You would do this for a password. Not an identifier.
My concern was that if it is possible to change your user's SSID, you could just change it to match others in the database. By hashing the stored value no one would be able to do this
Colin Angus Mackay wrote: I don't know your users. Do you think they have that level of technical expertise? I know I don't (although I could find out, I suppose).
I doubt it, but if i'm going to use arguments like that I would just build the app with an unsecured database and make the assumption that none of my users would know how to access a SQL database anyway. Surely I should aim to be secure, regardless of the probable technical ability of the users.
I suppose my real question here is "is it possible to change a users SSID?" (either deliberatly to impersonate another user to gain permissions, or inadvertantly and lose the access the user should have).
Simon
|
|
|
|
|
Simon Stevens wrote: can't user names be changed?
Yes, I suppose they can. But then, if an administrator changes the user's username, surely they can be told to update the database also?
Simon Stevens wrote: My concern was that if it is possible to change your user's SSID, you could just change it to match others in the database
The SSID is static, I believe - but I don't know enough about it to say whether it stays the same across the network or each machine assigns its own, etc. And if you were using user names instead, although you could change the user name, you couldn't change it to clash with an existing one. If users are removed from the syste, regardless of whether you are using SSIDs or user names the information should be removed from the database.
Simon Stevens wrote: I doubt it, but if i'm going to use arguments like that I would just build the app with an unsecured database and make the assumption that none of my users would know how to access a SQL database anyway.
No, I'm trying to be pragmatic. If you attempt to over do security you will tie yourself in knots rather than actually secure the system.
Simon Stevens wrote: Surely I should aim to be secure, regardless of the probable technical ability of the users.
Yes, but if you are going to the depth of securing something as ephemeral as an ID in memory while the process is running? There is a SecureString class you might be interested in. But, if the data really is truely that sensitive that you need that level of protection then I would respectfully suggest that you get someone in who is an expert in that area of security because I know it is beyond me and given the fact you are aksing these questions, it is beyond you too.
|
|
|
|
|
Colin Angus Mackay wrote: he SSID is static, I believe
Yep. Once created, it never changes, so long as Windows isn't reinstalled.
Colin Angus Mackay wrote: but I don't know enough about it to say whether it stays the same across the network or each machine assigns its own,
If in a Workgroup environment, each machine maintains it's own SAM database, hence each login name (even if the same acrossed all machines) has a different SID. In a Domain environment, the domain maintains the sole copy of the SAM database and each machine in the domain trusts that copy, so the SID won't change between machines.
Colin Angus Mackay wrote: Yes, but if you are going to the depth of securing something as ephemeral as an ID in memory while the process is running? There is a SecureString class you might be interested in. But, if the data really is truely that sensitive that you need that level of protection then I would respectfully suggest that you get someone in who is an expert in that area of security because I know it is beyond me and given the fact you are aksing these questions, it is beyond you too.
Very much agreed. This sounds almost like a "federal government paranoid" requirement.
|
|
|
|
|
Ok, thanks for the help guys. I'm concluding that for my purposes, it is good enough to do it this way.
Thanks
Simon
|
|
|
|
|
Hi All,,
I am making Windows Services with the help of the project Templete in VS 2005. As per my information this services require .Net Framework.So,I want to know that if I make this Service than it will require .Net Framework to run on other PCs on which it is running.
I want to know this as early as possible before I am going further in my work and after reaching very deep then I realised that I am doing wrong thing.
Thanks in Advance.
Ashish Bhatt,
System Developer,
Avinashi System Pvt. Ltd.
|
|
|
|
|
You could make it run without the .NET framework installed. There are applications which bundle the framework in with your application, but the resulting exe does tend to be quite large, plus the cost of these applications does tend to be prohibitive. Here's[^] one example.
|
|
|
|
|
Thank You very much for reply.
As you told, that means I can run my Service on other PC (without .NET framework) Right?? So , I do not have to worry about my service.Means I will have to make installation package for my service, right??
I want to know with my service exe what other .DLLs and other files I have to include??? Can you plz help up to this quetion because I am new at .Net Framework.
Thanks in Advance.
Ashish Bhatt,
System Developer,
Avinashi System Pvt. Ltd.
|
|
|
|
|
Hi all...i have a small problem...i have created a setup for my application..now i want that if application is running and we again click on exe..it should not open another application....Can any one help me.....thanks in advance
|
|
|
|
|
|
This[^] article might help. It's from this[^] book.
|
|
|
|
|
Pete O'Hanlon wrote: This[^] article might help. It's from this[^] book.
The drawback to that approach is that it requires creating an inherited application class for each application you want to single-instance, whereas the first method suggested above doesn't have that issue.
For most this probably isn't a problem; I had a large project with several executables though and found that to be an issue.
It has become appallingly obvious that our technology has exceeded our humanity. - Albert Einstein
|
|
|
|
|
Patrick Sears wrote: The drawback to that approach is that it requires creating an inherited application class for each application you want to single-instance, whereas the first method suggested above doesn't have that issue.
You're right of course, but as the OP only stated this was for one application then I didn't see this as an issue. BTW - with the judicious use of generics, you can get around the inherited application class problem. There are ways to do this without having too much fuss, it just requires a little bit of extra work in the design phase.
|
|
|
|
|
|
No. You might want to look around on amazon's developer site for a forum there.
"Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon
|
|
|
|
|
Dear All.
When I publish an application, there are 2 root folders created something like
the first one
...\Apps\2.0\N2NJKNK\JHKJ7897KJ\appl..tion_ace7blkjnjn_0100.0000_534535 - where my app.exe file stored
and the second one
...\Apps\2.0\N2NJKNK\JHKJ7897KJ\appl..exe_ace7blkjnjn_0100.0000_768976 7 -
where my resource files stored (some.exe, data.sdf)
So to access to my resource (eg data.sdf) I have to do like that:
"..\\appl..exe_ace7blkjnjn_0100.0000_7689767\\data.sdf "
The question: is there any proper way to get to that "...\appl..exe_..." folder
modified on Friday, December 28, 2007 9:32:45 AM
|
|
|
|
|
The solution is to use Application.UserAppDataPath instead of Application.StartupPath
internal sealed partial class Settings {<br />
<br />
public Settings() {<br />
this.SettingsLoaded += new System.Configuration.SettingsLoadedEventHandler(Settings_SettingsLoaded);<br />
}<br />
<br />
void Settings_SettingsLoaded( object sender, System.Configuration.SettingsLoadedEventArgs e ) {<br />
String dataDirectory;<br />
if (( AppDomain.CurrentDomain.DomainManager != null ) && AppDomain.CurrentDomain.DomainManager.ToString().Contains("VSHost")) {<br />
dataDirectory = Application.StartupPath;<br />
}<br />
else {<br />
dataDirectory = <big>Application.UserAppDataPath</big>;<br />
}<br />
this["test1ConnectionString"] = Settings.Default.test1ConnectionString.Replace(".\\", dataDirectory + "\\");
}
Thanks to http://blogs.msdn.com/smartclientdata/archive/2005/07/15/439008.aspx[^]
|
|
|
|
|
I'm not familiar with crystal report. So I ask the stupid question.
I know we can use crystal report in Java. We can also use crystal report in .NET framework.
Question NO.1
So is crystal report a work of some company's?
Or crystal report is a protocol, an interface?
Question NO.2
Is there a crystal report for C++? (not managed C++)
It's very kind of you if you answer my question to clear my mind.
|
|
|
|
|
|
I'm sorry, why can't I open this web?
|
|
|
|
|
fantasy1215 wrote: is crystal report a work of some company's?
Yes. The people who created it
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
|
|
|
|
|
Hi all,
Can Any one suggest me how to Paint (Flicker Free Drawing)at forms Non Client area.
Thanx In Advance
Nagraj
modified on Friday, December 28, 2007 7:10:37 AM
|
|
|
|
|
Probably through some kind of double buffering on the area you want to paint.
"Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon
|
|
|
|
|
Hi All,
Does anyone knows how to connect to multiple dynamic endpoints from a WCF Client?
I cant use svcutil.exe to generate proxy.cs because the
services are only exposed during runtime. I did some research on ChannelFactory, but dont seems to get what i want.
Any Help with be appreciated.
Thanks in advance.
|
|
|
|