I am working on a Windows server application that will transfer sensitive information to another Windows server over a socket using an HTTPClient. The servers are supposed to be configured to use IPSec. So yay, I I don't have to do anything to setup the secure connection at the application level. However, I have been instructed to ensure that if the connection is using IPSec and abort if it is not.
How can I programmatically determine if the connection is indeed secured with IPSec? The application is C#, on Windows Server 2016. I am open to P/Invoke based solutions or C code if that is required to make this work. So long as it can ultimately work with a C# HttpClient class.
It is not application's concern and can't be done. The tunnel is transparent to application level users of the network stack. If you want the application to ensure that connection is encrypted and authenticated, use TLS. Otherwise it is up to the network/system administrators to make sure that policies are setup so that only ipsec traffic is allowed.
Imagine that you figure out a way to ensure that tunnel is setup by interrogating the OS in some way. And then in 2 years the system needs to be scaled up and IPSec termination is moved to dedicated hardware. Oops.
Related
PostgreSQL, by default, does not allow remote connections. I know I could change the configuration to allow remote connections, but the software vendor will not support making any changes to the configuration. Since we develop add-on products for this vendor, we cannot simply ignore their wishes.
I would like to access Postgres from a remote computer. But making connections must come from what appears to Postgres as localhost. I'm not at all familiar with what I believe is called a TCP Port Forwarder, or maybe it is called a proxy? or Relay? In any case, I need to make remote connections to Postgres as if the requests were coming from localhost.
I already have a Windows service running on the same server as Postgres, so I would like to add this port forwarder, proxy, rely on this service. We need to do this in c#.
Alternatively, if there is already a tool available for this purpose, that I can run as a service, that would be fine as well.
It is correct that by default Postgres doesn't allow remote connections. But this can easy be changed in the pg_hba.conf file.
For this you just need to add a line with the address of your remote host.
For example:
host postgres all 192.168.12.10/32 md5
Columns:
Type: in your case Host
User: I used postgres in this example, but I recommend you
using a dedicated user as postgres is a superuser.
Database: Which database you want to access via this user and host, I left it to all, but again it is advisable to be more specific
Address: The address of the remote host
The authentication method. (md5 for md5 encrypted password). You can also set trust if you don't want any authentication at all.
For more options I refer to the postgresql documentation: https://www.postgresql.org/docs/9.3/static/auth-pg-hba-conf.html
You say you have a windows service running on the same computer and I take it that you have the code of that service under your control. In theory you can add some code in the service and get the updated binaries installed on that computer. This code can do the proxying between incoming tcp connection from internet and local postgres. From postgres point of view it will look like a localhost connection.
But,
There are some very valid reasons why only local calls are allowed and calls over network are blocked.
Your service may or may not be running with sufficient privileges to listen on a publicly open port.
If any antivirus is running on the machine, it will most certainly flag your app as suspicious and frankly, it is.
Best way to approach this is to ask the vendor nicely to grant access - or to work within the limitations.
It smells of some legal or ethical wrongdoing, but i may be wrong.
Having said that, here are the basic steps:
The service onStart registers a TcpListener on ip 0.0.0.0 and some port known to you.
On a seperate thread in a while(true) loop attempt to GetStream()
Start a TcpClient on ip localhost and postgres port
On a seperate thread in a while(true) loop attempt to GetStream()
In a while(true) loop read from listener's stream and write to client's stream. You may want to use a buffer or an array.
loop until you read a -1
This algo should work in principle.
I hope you are not hacking someone. Please dont.
You need to create a user and allow remote connection to this or an existing user.
you should be able to connecte remotly.
good luck.
I used this MS link to put together a TCP server in C# on a PC. I'm holding the port open and waiting for connections to be established by various PLC clients. The PLCs are in moving autonomous bots, so they move in and out of Wi-Fi range. I'm using this setup to acquire running variables (battery %, etc.) from the bots and display them in a UI for the system administrator to monitor.
I setup the router with port forwarding so that the data arrives on the server PC from the various clients. I'm using Siemens S7-1200 PLCs and I don't believe that they support high end security features like PCs.
So my question is this, if the admin PC is running a Windows service that constantly monitors the open port then is there a security risk? And if there are risks, can you please explain and support with links or resources to help me patch these holes (in C#)?
It seems safe to me because if the PC is off, the port is closed. If the PC is on, the port is open but is bound to the application monitoring it. If the port receives something that it does not deem valid it just dumps that data. I am not incredibly knowledgeable on software and PC security, but this is slightly different because it is a single PC interfacing with less capable hardware.
Having a port open exposes you to anyone connecting to that port and providing bad information, exposing a vulnerability on your message parsing and socket handling implementation (buffer overflow or script injection), or just swamping your application with traffic. The last one is almost impossible to protect against, someone can always DOS you at some level.
None of these are unexpected risks, but you need to be aware of them and ensure that you properly scrub incoming traffic to reject malformed requests and somehow authenticate and drop connections that aren't from the bots you expect.
If you do make an authentication step, you'll want to encrypt the channel before authentication using something like SSL or SSH. Otherwise, someone else could watch your traffic, observe the authentication transaction, and then just copy it.
Best of luck! Security is a deep rabbit hole, but a very valuable skill!
I am working on porting a Windows Phone application to Windows 8 Metro, using the WinRT API. It is a networking app that makes use of sockets on arbitrary ports (different servers use different ports) On the Wp7 platform, I am able to set both requirements and preferences on which network connection type to use when opening up a socket connection. For instance, by default the socket will only connect on WiFi and not the cellular data connection to protect the user from unexpected data use, but the user can not only set it to use the cellular connection, but to use it even if they are connected to wifi. This is useful for instance if the user is on a corporate network behind a firewall using a wifi connection, but the server or port they want to connect to is blocked by the corporate firewall. In this case, the user can tell my app to use the cellular data connection even while connected to WiFi, so that the connection can go through.
So far, on WinRT, I have only been able to get information about the currently active internet connection, and to enumerate through each connection. I don't know, however, how to tell a StreamSocket to prefer connecting via an alternate data connection from the currently active one or if this is even possible. Without this capability, the network firewall scenario above will not be possible from the app's end. The user would have to go to system settings and disable wifi just to work with my app. This is not ideal - my users on Windows Phone love the ability to set this preference without turning wifi on or off.
Is there a method of setting a network adapter preference programatically in WinRT the way it can be done in WP7?
Judging from the (preliminary) documentaion, I don't believe it's possible to do this using the standard APIs, without digging deeply into how sockets are instantiated in WinRT - that is, without doing stuff that would get your app disqualified from the Store anyway.
The whole point of the new and redesigned networking APIs is to allows the user (well, and Windows itself) to set the current connectivity options to how the want them, and allow your app to adapt its network usage patterns to the current capabilities of the network.
Arguably, it is a step back from what was available on WP7. But the argument here is to let the system and the user chose what's more correct at this moment, and have apps adapt to that, instead of having the apps to come up with logic for what network interface to use.
I'm trying to track down some failover problems in a third-party connector library that we use. At the moment I am starting and stopping remote services to simulate the failures, this works but is very impractical.
Is there a way that I can programmatically block all connections between a process and a given host?
EDIT: as well as blocking I'd like to drop any existing connections
I think that you can interact with the windows Firewall to achieve what you want ( programmatically block all connections between a process and a given host), take a look at the Windows Firewall Interfaces.
You can also block all connection to the host by writing an entry in the hosts file. You can just redirect the host name to localhost or whatever unreachable address. But it doesn't apply to a single process but to the whole machine. It's more simple than working with firewall, but more global.
I am running a windows service to which I send messages over a NetNamedPipeBinding. The messages are send from a client application which is triggered by a GPO. I just installed the service and client on a new server and I'm getting the following message:
System.ServiceModel.EndpointNotFoundException:
There was no endpoint listening at
net.pipe://localhost/VOXAServices/VOXADefaultPipe that could accept the
message. This is often caused by an incorrect address or SOAP action.
See InnerException, if present, for more details.
There is no inner exception. If I run the client application by double-clicking it's icon on the desktop, it runs without a problem. I manage the code for both the windows service and client application, so I can change whatever I need to. But so far, I'm pretty convinced that the binding, contract, and address are all correct (since everything runs fine when run from the desktop). I believe the problem must be with the client app being run from a GPO. But I can't think of any reason why that would cause this error.
UPDATE:
I read this this on Microsoft's website:
A named pipe is an object in the Windows operating system kernel, such
as a section of shared memory that processes can use for
communication. A named pipe has a name, and can be used for one-way or
duplex communication between processes on a single machine.
When communication is required between different WCF applications on a
single computer, and you want to prevent any communication from
another machine, then use the named pipes transport. An additional
restriction is that processes running from Windows Remote Desktop may
be restricted to the same Windows Remote Desktop session unless they
have elevated privileges.
(Choosing a Transport, Emphasis added)
I need the client process to run in the context of the (unprivileged) user and having a UAC dialog pop up is not an option. Is there anyway for me to give this client process elevated privileges while keeping the process running in the user context and not making the user privileged?
UPDATE #2:
It appears that there is such a thing as global and local (to the windows session) Named Pipes. I believe my windows service is creating a local named pipe and that if I can force it to create a global named pipe, it would solve my problem. (This explains why I couldn't see my pipe in sysinternals "Process Explorer", even though my client app could find it if I launched it from a privileged session). The trouble is, I don't know (and can't seem to find out) how to force a named pipe to be created globally (c#). Any ideas?
The mechanism by which WCF clients find WCF service NetNamedPipe endpoints involves a kernel shared memory object which the service uses to tell clients the actual name of the pipe to be used. If clients are going to be in a different logon session to the server, this shared memory object must be in the Global and not the Local kernel namespace. The named pipes themselves have a single namespace, visible to all clients. You cannot directly control the namespace WCF uses for the shared memory object, but it will be the Global kernel namespace provided that your server is a Windows Service running with SeCreateGlobalPrivilege. Your question seems to imply that this is the case, so I'm sceptical whether your problem is connected with kernel object namespaces.
Two other possible causes are:
The ACLs which protect both the shared memory object and the named pipe. These will always deny access to any security context which has membership of the NETWORK USERS group (SID S-1-5-2). This enforces the WCF guarantee of no remote access to named pipe endpoints.
If you are running on Vista or later, the Mandatory Integrity level of the client process must not be lower than the Mandatory Integrity level of the kernel objects (which will be the implied level - Medium - unless you have taken special steps to elevate using Mandatory Integrity Labels)
I don't know enough about the security context in which your client process started by the GPO would run to advise further, but I suggest you check these two possibilities and post further updates to your question accordingly.