Security - Visual Basic .NET

MSSQLServerDeveloper

I am running in a windows 2000 environment and have the following scenario /
question.

I have a vb.net application. Before allowing the user the go into the app,
I would like to validate against the windows password. Is there any easy way
to do this?
tia

Nov 21 '05 #1

Subscribe Reply

2610

Crouchie1998

Hi

No, there is no easy way to do this because the function LogonUser API
doesn't work in Windows 2000 unless you can set the SE_TCB_NAME (act as part
of the operating system), which will allow Windows 2000 to be opened up. That
means its an extremely big security risk.

If you find out how to set SE_TCB_NAME using VB.NET then there are literally
thousands of people who will want to know the answer because Microsoft would
NEVER release this information.

You can set SE_TCB_NAME manually in Windows 2000, but you are risking
security in a big way. Go into CONTROL PANEL, ADMINISTRATIVE TOOLS, LOCAL
SECURITY POLICY, expand USER RIGHTS ASSIGNMENT & 'add' users to ACT AS PART
OF THE OPERATING SYSTEM.

Restart the computer & now LogonUser 'should' work.

I DO NOT ADVISE YOU TO DO THIS - YOU HAVE BEEN WARNED!!!!!!!!! !!!!!!!!!!!!!!!

Nov 21 '05 #2

MSSQLServerDeveloper

What about a way to somehow validate against LDAP. I'm not saying I want to
know the password, just pass whatever the user types in to compare it . Any
other ideas?

"Crouchie19 98" wrote:

Hi

No, there is no easy way to do this because the function LogonUser API
doesn't work in Windows 2000 unless you can set the SE_TCB_NAME (act as part
of the operating system), which will allow Windows 2000 to be opened up. That
means its an extremely big security risk.

If you find out how to set SE_TCB_NAME using VB.NET then there are literally
thousands of people who will want to know the answer because Microsoft would
NEVER release this information.

You can set SE_TCB_NAME manually in Windows 2000, but you are risking
security in a big way. Go into CONTROL PANEL, ADMINISTRATIVE TOOLS, LOCAL
SECURITY POLICY, expand USER RIGHTS ASSIGNMENT & 'add' users to ACT AS PART
OF THE OPERATING SYSTEM.

Restart the computer & now LogonUser 'should' work.

I DO NOT ADVISE YOU TO DO THIS - YOU HAVE BEEN WARNED!!!!!!!!! !!!!!!!!!!!!!!!

Nov 21 '05 #3

Crouchie1998

The LogonUser function doesn't give you the password because the password in
windows 2000 is converted to a one-way hash, so, when you log in its checked
against that hash.

The logon user function just fails on Windows 2000 without acting as part of
the operating system set.

However, if you are using Windows XP then the LogonUser function succeeds
because XP is so insecure & I am sure it used to pass the passwords as plain
text without using ZeroMemory to clear it from memory. Maybe with the
introduction with SP2 they have fixed that security flaw.

The best way for you in my opinion is to create a XML file & hold it in the
user's application data section of their profiles. You can encrypt/decrypt
the password & the users won't be able to get into anyone elses application
data folder. This method was suggested to me by Duncan MacKenzie from
Microsoft some time ago & I have implimented it in applications that needed
it.

Nov 21 '05 #4

Jay B. Harlow [MVP - Outlook]

MSSQLServerDeve loper,
In addition to the other comments.

Are you attempting to validate the current user or are you attempting to
authenticate the current user is allowed to use the program?

If you are attempting to validate the current user Keith Brown's book "The
..NET Developer's Guide to Windows Security" from Addison Wesley contains a
plethora of information on security under Win32 & specifically .NET.
Including a topic on how to prompt for a password. You can access the book
on-line at: http://www.pluralsight.com/keith/book/html/book.html I have not
tried the API reference, however a quick scan of MSDN suggests you might be
able to use it for the current user...

NOTE: Keith's book also includes a topic on how to run a program as another
user! (via the CreateProcessWi thLogonW Win32 API)

If you are simply trying to authenticate the current user is allows to use
the program I would consider using Code Access Security and/or Role-Based
Security coupled with Win32 ACLs, rather then prompt for a password.

Info on Code Access Security:
http://msdn.microsoft.com/library/de...sssecurity.asp

Info on Role-Based Security:
http://msdn.microsoft.com/library/de...edsecurity.asp

Keith's book on info on using Win32 ACLs from .NET.

Hope this helps
Jay

"MSSQLServerDev eloper" <MS************ ******@discussi ons.microsoft.c om>
wrote in message news:88******** *************** ***********@mic rosoft.com...

I am running in a windows 2000 environment and have the following scenario
/
question.

I have a vb.net application. Before allowing the user the go into the
app,
I would like to validate against the windows password. Is there any easy
way
to do this?
tia

Nov 21 '05 #5

Similar topics

5640

row level security

by: robert | last post by:

well, talk about timely. i'm tasked to implement a security feature, and would rather do so in the database than the application code. the application is generally Oracle, but sometimes DB2. Oracle has what it calls package DBMS_RLS, which implements application ignorant row level security. scanning this group yielded "you can't do that; use views". then i dug out DB2Mag qtr 1 2004, and there is MLS for v8/390. from this article,...

DB2 Database

116

7513

Security - more complex than I thought

by: Mike MacSween | last post by:

S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data and some who couldn't but that it wasn't important right now. And I said, 'sure, we can do that later'. So now I've developed an app without any thought to security and am trying to apply it afterwards. Doh!, doh! and triple doh!

Microsoft Access / VBA

7983

Error using WS-Security

by: Ashish | last post by:

Hi Guys I am getting the following error while implementing authentication using WS-security. "Microsoft.Web.Services2.Security.SecurityFault: The security token could not be authenticated or authorized ---> System.Exception: WSE565: The password provided the SecurityTokenManager does not match the one on the incoming token. at Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyPlainText

C# / C Sharp

3369

Design Issue: Separating Application Security Model from the Application (Custom or User) Controls

by: Earl Teigrob | last post by:

Background: When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is comprised of a DataGrid may have separate permissions for adding, deleting and updating a news item. Problem Up until now, I have been implementing security directly inside the control. I will test directly against the security model to see if...

ASP.NET

415

Design Issue: Separating Application Security Model from the Application (Custom or User) Controls

by: Earl Teigrob | last post by:

ASP.NET

9172

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

9032

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

8908

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

8880

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...

General

6532

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

4374

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

3054

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

2344

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP

2008

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General