So, i`m trying to check from my application if my device has any type of protection when user tries to unlock it.
What it means. I need to know if device could be unlocked without graphical (numeric) key for mobile devices. For desktop devices in I need to know if current user has password.
Is it possible in general for both cases (mobile and PC)?
On PC seems there is no method to detect if a password is set for the user account, but there is method to check if a Pin is set using KeyCredentialManager.IsSupportedAsync | isSupportedAsync method, you can check the official KeyCredentialManager sample, the PassportAvailableCheck() method in the SignIn.xaml.cs file.
For PC, Pin is a higher level security, it can be set only if a password is set and there could have other security policies. On mobile there is no password, if a Pin is set, it can be detected.
This topic belongs to the Security part of UWP apps, here are some good documents for example Create a Microsoft Passport login app, Fingerprint biometrics. They may not be able to fully solve your problem, but you can see what we can do and not be able to do in UWP app from these documents.
Related
Using Firebase in unity, I know that I can send a verification email to register a new login, but I would like that when the user tries to login on another device, firebase sends a verification email confirming the action and exiting the old device, I don't if this is possible because I'm a layman in the subject
Language used is C# and I don't even know the terms to search on the internet
The Firebase SDKs and products do not bound to specific devices. So there is no built-in way to get them to verify a user moving from one device to another.
The closest that exists within Firebase are its Installation IDs, which identify a specific installation (so a specific app on a specific device). If you'd associate an installation ID with each of your users, you could detect when they use a different installation ID than the one you have stored for them, and initiate a verification for the new device. But that'd be up to you to implement, as Firebase has nothing built in for such verification.
I'm new to xamarin so I'm still trying to figure out how some things work.
The things is, I wanted to create a simple application where the user will recieve an email if his account logged in into an unknown device (yes, it looks like a login alerts).
Correct me if my proposed method is incorrect, I want to create a list of every known device each user has logged in, and compare it to a current device the login attempt was made. Is there a way where I can use a unique android device ID in Xamarin that I can use for this situation?
Any answers/suggestions will be much appreciated 😁
Thank you in advance
Using device ID would mean that if user uninstalled your app and stashed the phone for a year, it would still be considered trusted. Users most likely won't remember what they did in the past and blame you for failing to alert.
What you should use is instance ID. An UUID that app generates once and then saves. So uninstalling your app or clearing its data would make it "brand new and untrusted" - because that's exactly what users expect.
To paraphrase Fifth Element: Device not important. Only app important.
Also note that mobile users expect to log into app once and remain logged forever. Some apps (like banking apps) add extra PIN, fingerprint or password to actually access the data, but the app remains paired to the user account forever. In that case, there is server-side list of app instances paired to user's account, so it's trivial to notify about new pairing. Bonus-you don't need any client-dependant IDs, have the server assign the ID on pairing.
I need to write a script that verifies that the user is not using the "Picture Password" feature in Windows 8. I'm using .NET 4.
I tried to search for info about it, but couldn't find anything. Do you have any clue how it can be done?
my company information securiy forbids using picture password when using other specific product (can`t give more info). I need to enforce this request by code.
You don't enforce these kinds of things with code, you enforce them with Group Policies.
To do so, open the Group Policy editor (gpedit.msc) and navigate to the following path:
Computer Configuration\Administrative Templates\System\Logon
Double-click the "Turn off picture password sign-in" setting, and set either the "Enabled" or "Disabled" option.
Of course, you don't have to do this on each local machine. You can create Group Policies that apply network-wide to specific groups of users. Ask on Server Fault to get more help on setting that up, or talk to your network administrator. Presumably if you have information security policies, you already have a department that handles these sorts of things.
I see that you have Windows-RT as a keyword on the question. So if the application needs to do the checking is a Windows 8 Store app (Modern/Metro app), you will not be able to achieve this.
There is no API to check for this in 8, and as far as I know there isn't one in 8.1 either.
There is no access to the registry for Store apps.
Even if you did manage a way to detect the settings via some other method, you need to ensure it's done through the Windows 8 API otherwise you won't pass certification (section 3.1).
You can however push the policy via GPO if that's an option.
Based on Windows 8 RT being removed from keywords, that means it's not a Windows 8 Store app. Leaving prior answer in case someone finds this and is asking about Store apps.
You should be able to review the setting via the registry at "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" and checking the value of either BlockDomainPicturePassword or AllowDomainPicturePassword.
I don't know why there is two, I'll leave the testing to you as to which one is the right one.
I have written an c# 4.0 application that analyses the microphone input and records DTMF tones that represent credit card numbers entered by our clients. This all works well, but since we are working under PCI Compliance (see www.pcisecuritystandards.org), we don't want to allow the logged in user (call centre staff) to listen or even record the microphone input so that they then can parse the credit card numbers on their own with a 3rd party app or their phones. So the question I have is:
How can I restrict the microphone input to a specific application so
that it can't be heard or recorded somewhere else?
If there is no solution to this, the 2nd question arises:
How can I restrict the microphone input to a specific user so that it
can't be heard or recorded somewhere else (I could run the software
as a Windows service under specific user credentials)?
Kind regards,
JB
The main way to restrict access to device is setting of Security Descriptor on the device. So granting of the permission for specific user group is the way in which you should go.
The exact implementation for Windows XP could be different from later versions of Windows. Windows 8 have new possibilities too. Audio Mixer APIs can be used in Windows XP. Starting with Vista Windows Multimedia Device (MMDevice) API can be used. MMDevice API's implementation of the property store. You can use IPropertyStore::SetValue and IPropertyStore::Commit to change properties. Unified Device Property Model are introduced starting with Windows Vista. There are different Windows API which uses internally SetupAPI to access to devices and to set it's properties (see here). I think that you should set PKEY_Device_SecuritySDS property to secure device. One can use old APIs like SetupDiSetDeviceRegistryProperty and SetupDiSetClassRegistryProperty to set the properties on Windows XP (see here).
If I start on my computer devmgmt.msc and examine default property of microphone device then I can see Security Descriptor
What you need is to change it so that only specific user groups (or users) access it.
There are PKEY_Device_SecuritySDS and PKEY_Device_Security properties which can be change by SetupDiSetDeviceProperty and SPDRP_SECURITY_SDS or SPDRP_SECURITY (see here). Usage of SDS parameters (PKEY_Device_SecuritySDS or SPDRP_SECURITY_SDS) could be easier because there use readable Security Descriptor Definition Language (SDDL).
After you change security descriptor on the device you need use SetupDiSetClassInstallParams and SetupDiCallClassInstaller with DIF_PROPERTYCHANGE and DICS_PROPCHANGE to reset the device. You can find the code example in the source code of devcon utility on WinDDK. Alternatively you can use CM_Disable_DevNode and CM_Enable_DevNode to restart it with new properties.
You should be able to do it with the Core Audio API. For each playback device and capture device in the system, you can control whether the device can be used in exclusive mode.
One drawback - there is no support for Core Audio API under Windows XP.
I think the solution to your problem is to write a KS Filter
Create a Kernel Streaming filter that is able to decode the DTMF on demand of your application and send the decoded data to your application. When the filter is in DTMF decoding mode, it just outputs silence to the rest of the filter stack.
If an USB audio device is used, you could also write a GFX Filter instead, which can be configured on a per-user-base. But this only seems to work for 32-bit operating systems. WinDDK has a sample called gfxswap.xp.
You can use ASIO audio drivers in your application.
ASIO is a technology developed by Steinberg to provide low latency audio input and output, and as a side effect, requiring a device using an ASIO driver completely restricts the device use to the process that required it, in addition to multiple other advantages that may be irrelevant to your needs.
It is available for every soundcard thanks to the ASIO4ALL project, so compatibility won't be an issue as long as you provide it with your application
For more informations, check out the wikipedia article about ASIO here, or pick up the SDK here ( you will need to register a Steinberg Developer account to proceed )
Will it be helpful if you can control (MUTE) the VOLUME of the sound device and set it back to it's former state once you are done? You can look at this link for ideas. Good luck.
i wanted to know which process in Windows is user specific, i mean it get created for each user login. i tried explorer.exe but when u switch user and log into new account then it shows old login name in my code. basically i need to just log which user logging when in app.
If all you need to know is which user(s) are using your app, can you just check Environment.UserName when you start your app?
I missed the tag indicating you created a Windows Service. That's a very different type of animal than a regular application, and the advice you receive for one is not necessarily transferable to the other.
Specifically, I notice that you've tagged this question windows-7. If you're trying to run this service under Windows 7, you need to understand a few things about how the model for Windows Services was substantially altered starting with Windows Vista. Specifically, they now run in an isolated session and are prohibited from interacting directly with the user.
Also see my answer here for a better explanation.
The fundamental point is that, from the perspective of a Windows Service, there is no such concept as the currently logged-on user. A Windows Service runs in its own isolated session and is not affiliated with any particular user. That's why the code you found to determine the user associated with a particular process is not working as you expect for a Windows Service. A standard user doesn't own the process running the service. (And replacing your service with an application is also not a viable option, given how I understand your requirements. As I explain here, user-mode applications are started when a particular user logs on and will be closed whenever that user logs off.)
Another problem is that more than one user can be logged in simultaneously to a single workstation. Windows is a thoroughly multi-user operating system, so the best that you can hope for is to enumerate all of the currently logged in users. The NetWkstaUserEnum function will get you that list, but note that it includes all types of logons, including interactive users, services, and batch logons. To call this function from C#, you will need to P/Invoke—you can find information about that over on pinvoke.net.