Re: Role based security flaw?

WindowsIdentity can't be faked (unless you start hacking with a debugger or
something). However, I thought this discussion came up in the context of
general role-based security with IPrincipal and not a specific
implementation that relied on WindowsPrincipal. If you can use Windows
security, it is harder to fake and probably easier to deal with.

If you are dealing with your own custom IPrincipal, then it is probably
easier for someone to hack that, but by that time, the game is probably over
for either implementation. As soon as someone starts replacing your local
assemblies with hacked binaries or doing other goofy stuff, the game is
pretty much over.

To answer your other question, it is definitely possible to make some kind
of a remote call to a server to enforce security if that is an option.
Remoting or web services would work fine for that. You still have the
possibility of your local code that does that check getting hoisted, but it
sounds like you are mostly interested in keeping the honest people honest,
so that probably isn't a huge concern.

CAS can defnitely also help keep the honest people honest.

Joe K.


"Andy" <ajj3085@xxxxxxxxxxxx> wrote in message
news:1142886555.029704.82080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
William,

#2 and #3 are easy; use PrincipalPermission. #1 requires you to add
lines of code to places... My question was trying to gauge if the
benefit would be worth the time.

Even if all those are met, its possible that the identity was
authenticated from a rogue domain (well, it might be, I'm not 100% if
that's possible).

Andy



.

Relevant Pages

  • Re: Authentication Nightmare
    ... non asp.net file IIS security takes over. ... > impersonating the user and trying to redirect to their personal directory. ... > WindowsIdentity widTempIdentity = new WindowsIdentity; ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Computer advice please?
    ... > But why worry about security ?? ... > firewalls like locks on bikes are there "to keep honest people honest" or ... DISABLE password reminders in your browsers (EI, Netscape, ... Don't worry to much about it" ...
    (alt.gathering.rainbow)
  • Re: Determine if IdentityReference is a Security Group
    ... bins to enforce Windows Security business logic (order of Allow/Deny ... Allow and Deny are easily obtained from IdentityReference. ... However, given an IdentityReference (or SID), ... WindowsIdentity will give me a list of the user's groups. ...
    (microsoft.public.dotnet.security)
  • Re: Why cant access a file under mapped network drive from Web Se
    ... WindowsIdentity newId = new WindowsIdentity( ... Which is exactly my log-on impersonate. ... > 1) Change the rights that the user ASPNET has. ... Better than 1) but still a big security risk. ...
    (microsoft.public.dotnet.general)
  • Re: [Full-disclosure] Full Disclosure of What ?
    ... I don't know Andrew Wallace at all. ... don't you try to be honest with yourself, ... Security and vulnerability research? ... I find the interplay between netdev and ureleet to be a defining ...
    (Full-Disclosure)