Re: Client/server application and Windows Integrated Auth

From: Joubert (Joubert_at_discussions.microsoft.com)
Date: 02/02/05 

Date: Wed, 2 Feb 2005 08:07:06 -0800

Hi Joe,

"Joe Kaplan (MVP - ADSI)" wrote:

> Why not let the datastore authenticate the user and do the authorization
> then? Like some others have pointed out on this thread, doing authorization

Because the datastore may not have a server component, e.g. Access.
Although, perhaps what we should do then is to support Windows Integrated
Auth for server based datastores (in our case SQL Server and Oracle) but do
not allow it for MS Access databases.

> on the client might be potentially dangerous. If the user is an admin and
> can attach a debugger, they can do whatever they want to your code. They
> can't do this to the server though.
>
> Hacking the kernel mode security stuff on the workstation is actually fairly
> hard to do (overcoming file ACLs and stuff that is protected by kernel
> objects), but all bets are still off if the local user is an admin.
>
> It really depends on how important it is that your security can't be hacked
> (what is the real threat) and what your deployment environment is like, but
> remember that people put security on the server and try to keep others from
> running debuggers on it for a reason.

Thanks for your remarks - useful comments.

Regards
Joubert

>
> Joe K.
>
> >
> > The setup I described does not involve a server component - i.e. there is
> > no
> > webserver. There is only a client application (i.e. WinForms) than
> > connects
> > directly to the datastore, i.e. the client application does the
> > authentication.
> >
> > So my thinking is that since the application's execution environment
> > cannot
> > be controlled you cannot merely rely on the fact that a "DOMAIN\username"
> > is
> > authenticated since the application can be put in a domain with the same
> > name
> > and run by a user with the same username.
> >
> > Does this make more sense?
> >
> > Cheers
> > Joubert
> >
>
>
>

Relevant Pages

  • Re: Access Denied to share with anonymous access disabled
    ... > Integrated Windows authentication, then you are looking at the classic ... > server, why should the server automatically be able to use your ... > ASPNet local user account full access to the share. ... > anonymous access with integrated windows security on the web site. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging
    ... >> Further to Greg's comments about this Encode Security Labs ... >> NTLM for authentication, ... > NTLM is a unilateral authentication protocol where the server ...
    (NT-Bugtraq)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • unified authentication
    ... and a single Windows 2000 Server. ... I have recently been plagued by the security audit ... as employees have left the company and new ... and very fast authentication system with vpopmail + MySQL. ...
    (FreeBSD-Security)
  • RE: ASP.NET + SQL Server Windows authentication
    ... The problem is actually related to ASP.NET security. ... | Trying to understand why I can not get SQL server to trust my IIS server. ... | applications access to the DB server via NT Authentication. ... Basic Authentication will transfer the PW ...
    (microsoft.public.sqlserver.security)