So Ive created a c# WPF application and I wanted to add a way for me to control who had access to it just in case the exe for it got leaked or something. So I created a MongoDB database and made a document called Password. Upon clicking the start button in the window it checks the password you've entered to the password in the database. It works perfectly fine for my uses.
However the problem presented itself when I learned about Decompilers. From what ive read my database connection link to MongoDB could be accurately decompiled. This would give the cracker access to my database with admin permissions and and would allow them to connect to it as well. What is the best way for me to prevent this from happening, and hide my secret in a way that makes it impossible/extremely to decompile?
Configurations and secrets including passwords should be stored outside of an application's code. Instead read secrets from a config file or via a login screen.
Related
Hi I'm making a program where you must sign in to use the program. On our website you will create a user, that information is put into a db. However our host provider has disabled extern connection to the db, so it's only possible to access the database through php.
So here's the question.
What's is the easiest way to make this login system (in the c# program)?
Is it via a REST interface (php), then I should be able to make a connection.
Send a string with the hashed user information, that the website then checks with the hashed data in the database. The website then returns with a yes or no.
A third way?
What do you guys think is the best way?
If you handle the login through a php document, then you could open it using a php-capable webbrowser-control, therefore executing the php and logging in the user. By the way, pay attention not to show the webbrowser to the user unless you are certain your application is secure enough and does not show sensitive information.
I am building a web application to store sensitive medical information into a database with TDE on. However my users are in 3 categories:
The medics who have access everywhere
Management who can only see certain pages and access certain tables/views
I.T. guys who will login and need to access a different database in the SQL Server to load up some dummy data so they can do their troubleshooting.
The first thing that came to mind was to create a user management system. I created one by asking the users to enter their own private password I made for each of them, but I am not sure what I should protect. So what I tried to do is to encrypt the SQL connection string using AES and the password I have provided each medic, and saved the encrypted string into a table in a different database.
When they launch the application, it will ask for their password which in turn will decrypt the corresponding connection string, store it in a cookie and protect it using Machine.Protect() found in asp.net 4.5
This way, I can use page permissions for allowing only the medics to access certain pages with certain reports. Allow management to see their own pages and thirdly when the I.T. guy goes in, he will have his own key that will decrypt a a different connection string to connect to a dummy database so he can do his troubleshooting.
Is this a safe way or can this be exploited easily? I would love to have any feedback on this.
All code calls to the SQL server is in a single class library dll, language used: asp.net and c#, we are using Active Directory to limit access in the first place.
What is my purpose?
I would like to save user credentials at the first start of my application.
What is the starting situation?
At the first start I have a configuration dialog, which allows the support-employee of my company to configure the application firstly. At these dialog he can also set sundry credentials. I need these credentials for every user, who starts the app. (it is a network-based application)
May some solutions?
I know, there are 'user settings' in WPF. But these are not persistent. That means, I lose the credentials, if the application is closed and another user is starting the app. But I need these credentials persistent. And for every user.
Of course, there are also 'application settings'. But these settings I cant set dynamically at the first start of my app. So I need to set the credentials for every customer at the development and compile one executive per customer.
Furthermore I can also save these credentials in a special database. But to create a database, only for this purpose seems a little bit to huge for me.
Would be really nice, if somebody could help me. :-)
You could store it in a local SQLite database, it takes just a few lines of code and one table but either store the hashes or make sure credentials are encrypted.
Also, user settings are persisted and as long as the other user is using his or her own Windows logon their user setting will not overwrite user settings of other users. However these are stored in a plain text config file so if storing credentials you should at least encrypt the values...
I am developing an accounting application using C# with SQL Server Express 2008, the application only accesses the database locally. i want the customer to enter a user name and password when he installs the application, that way he is the only one who can run the application, and my question is:
1. should i store the log in credentials in a local file, or create an sql server user account with those credentials and rely on the database keeping them a secret ?
2. if the second option is doable, how to do it from the installer package ?
There's a lot more to this.
If whoever installed sql server selected sql server security that user (sa) will have been defined and will have access to everything.
If windows only then it will be the windows user who installed sql server, and they will have access to everything
If Mixed, both will have access to everything
Then which user created the database on the server, they'll be dbo by default and have full access to their database.
So it all depends on who's doing what.
Does your app intaller call the sql server install?
Does it create the database?
Admin and dbo, can both grant access to said database to anyone they like.
Adding the windows user installing the app is simply a matter of getting your installer to execute a sql command or two. At that point you have Single Sign on. No need for password you are adding the windows user and mapping them to a database role/user.
If you want a username and password any user could use if they know it, then perhaps sql only / mixed mode is the way to go. Again a couple of sql commands executed from your chosen installer to caete user fred password ?, job done.
The point to remember is in order to execute the instructions to add logins and users, roles etc, you need to connect as someone else with permission to do that, e.g. windows admin or sa.
Also most application users on managed networks do not have admin permissions, so you could have a bit of fun round that as well.
I suggest you have about of a read about sql server security, there's a few ways to skin this cat, only you have enough info to choose the best option.
You might even want to have a think about application based security, if each install of your application creates it's own database and role....
You could do something like, store database settings, such as IP, Port, Username and password login attempt credentials locally, perhaps in an XML file, but then store the login credentials for the program in the database.
Note: Obviously i don't know how much you know about security, but here's a few tips:
1)Don't store the password directly in the database. Use a hash and some method of encryption.
2)Check the hash of a given password a user attempts to log in with, with the database stored variable you created for the program, which should also be a hash.
Basically, at no point should the database know what the actual password is, only a given hash that you passed it, and can compare to in the program itself.
With regards to the database access, I would create a user which has access to only the schemas you want it to. From there, get the logged in user in your application / program to log into the database with the credentials in, for example, an XML file. It's also an idea to encrypte these details in the XML file too, so they can't be tampered with locally.
I have written an application that maps a user's SkyDrive to a network drive.
However when opening word documents directly from the network drive, Microsoft Office 2010 tries to load the document using WebDav and prompts for the user to login in again.
When you login it works fine, and if you click "Remember Me" it stores the credentials in the credential store, accessible via rundll32.exe keymgr.dll, KRShowKeyMgr
This only lasts until the session is closed.
I want to incorporate the automatic storing of the user's credentials into my program so that the user doesn't get prompted at all.
I have tried using the CredWrite API however that only allows me to store generic credentials. I need to store a (.Net Passport) credential.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375187(v=vs.85).aspx
I have only been able to achieve this using the CredUIPromptForCredentials API with the flags set to CREDUI_FLAGS_SERVER_CREDENTIAL
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375177(v=vs.85).aspx
I have inspected the API call that word makes to credui.dll and it is identical to the one I am calling (aside from some captions).
But it produces different results.
My code produces this credential to be saved
The word api call/subsequent code produces this credential
However I cannot figure out how to get the credential target to save correctly so that office will load it without prompting. I'd prefer to even have the prompt load if there is no option as I can pre fill the username and password so that the user just has to click OK but I'd like to do it silently.
Additionally if there is anyway to disable word's WebDav support/force it to use the network drive as an actual network drive that would also work. I have been unable to find any answer. If anyone has any idea I would greatly appreciate it.