All geek questions in one place

Users cheating on a domain name

We currently have a winforms application that allows users to log in to access the system. The authentication system is a custom-made key. I am working on introducing a change that associates NT users and a domain name with their existing user account so that they do not need to register multiple times. I am using WindowsIdentity.GetCurrent (). Then name saving this information into a database table that displays their old account. I am wondering if a vpn user can connect to the network with a computer name that reflects the real domain name? This could potentially lead to a fraudulent user gaining access to the elses user account. My guess is that the real question is: is there a way to distinguish between the sql servers domain and the user domain by simply not comparing the strings with the names.

+4
source share
2 answers

Yes, if your application used SQL authentication to access the database. If you change the database connection to use strong authentication, SQL Server will authenticate the login with the domain controller. Therefore, despite the fact that the user has access to the application, they will not be able to access the database that controls the application. If you did this, you can also transfer the username capture to the SQL Server stored procedure, which would ensure that the name matches the domain name, not local users.

+2
source

THE SERVER SHOULD NOT TRUST THE CLIENT.

If the client can obtain and use credentials to enter the database server, you are frying.

If your server is only a database server, and your application does not use reliable connections, and your application does not ask for the db credentials that you are using. (See Previous Report.)

I am lazy. I will fix WindowsIdentity.GetCurrent (). Name to return "Administrator" if I like it.

+1
source

Source: https://habr.com/ru/post/1340097/

More articles:


All Articles