I have a .NET Application and a Windows Service, both run on the same machine. Application runs in a non-administrative user session.
Application communicates with Service via TCP.
Is there a way to secure this communication using standard API?
I need to ensure that Service accepts connections from my Application only, and it is not altered.
For instance, service requests OS to issue a security token, which can only be read by my Application executable with original control sum, then Application reads the token, sends it over to my Service when establishing the connection, and Service requests OS to verify it - something like that.
Related
I have written a web application that is, typically, installed internally by customers (based on IIS/MSSQL server).
When a customer wants to provide external access to the application, we offer the following supported scenarios:
Publish the application in their DMZ (pretty standard deployment).
Use our own platform where we host the application in our own cloud infrastructure for them.
However, because I have more and more customers who misunderstand the requirements for publishing an internal application, I would like to add a "one click" way of providing that service.
My idea is to have a reverse proxy installed on the customer's web server that will connect to a cloud server we control. When the application starts, it will connect to our server, authenticate and maintain the connection. When a user wants to use the application, she will use an URL that directs it to our server (say https://myapp.mycompany.org/CustomerID or https://CustomerID.myapp.mycompany.org). The server will then lookup the list of connections from reverse proxy to find the one matching the customer ID and, if found, use that connection to relay the end user connection.
In essence, that is the same thing as what Azure Application proxy or TeamViewer do, only without the need for using Azure AD or TeamViewer.
Is there an existing framework I can use for building such a service ? I know I can write it on my own but that is quite a large development.
I am trying to get a flask app deployed to a windows server (IIS 7.5) that passes the client NTLM Windows Authentication to the SQL Server connection in SQL Alchemy.
At the moment the connections string looks like this:
"DRIVER={SQL Server Native Client 11.0};Server=%s;Database=%s;TDS_Version=8.0;Trusted_Connection=yes;"
And the Trusted_Connection=yes serves to pass the owner of the web server process to SQL Server. This works great when running the development server because I am invoking the server so my access credentials get passed. BUT when IIS runs the server it inherits the application pool identity and sends a bogus non domain user as the auth credentials.
I have tried to use the WindowsAuth setting in the webconfig but SQLAlchemy keeps passing the app pool identity to the sql server.
I've had similar issues with SQL DB Connections, and the workaround that worked was to create a Windows Network User and have IIS run applications with that identity instead of the App Pool identity. This 'real user' identity is then passed on to any downstream invocations (SQL).
This scales well in an enterprise environment and prevents most security change problems because the user is a 'normal user' and only nominally a 'service account'.
I have C++ Backend process run on A server. Any process can connect to A server to get real time data feed.
I have web application (grails) run on B server.
Client Access via web browser to http://bserver/
I have a feature that web client can monitor realtime data of A server
which client not be able to access A server directly due to firewall policy, but Web application on B server will connect (tcp socket) to A server and pass data to web client.
Would you mind to advise the way that easy to implement.
We have a Windows app hosting a WebBrowser control that hits our REST APIs. We like to restrict access to the APIs to be only coming from withing the Windows app itself (for example, the APIs cannot be accessed in a browser, etc).
How can we accomplish that? what is the most secure way without having to expose any kind of credential (for example, if we use HTTP Basic auth, the username and password can be seen by reverse engineering the app itself)?
Thanks a bunch!
EDIT: We plan to distribute the application freely so we have no control over where the connection will be made from.
Restrict the REST interface to only accept connections from 127.0.0.1 (home) and then connect from your rest-consuming application only with http://localhost or http://127.0.0.1 in the URLs (if you use the external IP or DNS name of your machine it'll be treated as a remote connection and denied access).
You can do this with web server settings, or within the code of your REST APIs
I had a similar situation during a project where we distributed an iPhone app that also connected to a REST api that my team developed.
For security we used somewhat of a three-legged scenario. The app was required to authenticate using the user's credentials against a standalone service responsible only for authenticating and generating access tokens. Once the app received a valid access token, subsequent requests to the api required sending this token in the Authorization header.
You could do something similar. If you come up with a credential scheme to authenticate your app as valid API consumers you could use basic auth over HTTPS to obtain tokens, and then only by using those tokens could a consumer gain access to the rest of the API.
I have a windows service in which i host a wcf service.
What is the best approach to control the windows service via the wcf service? I already created the interfaces for the wcf service, but I have no idea how to interact with the windows service's classes and functions.
just to check that I'm understanding your problem correctly - you want to run a wcf service, so you create a windows service to host it, and you want your desktop client to be able to control the windows service (that's hosting the wcf service) by talking to the wcf service?
If that's the case, what is it that you're trying to do with the windows service? In some of the work I've done, I've set up the server such that there's the windows service hosting all the wcf services I want to run, and in order to interact with that windows service remotely (e.g. starting/stopping/restarting) I have another service running on the server (usually baked into the Amazon instance image so it's running on every new server that gets brought up) which my remote client can talk to instead. That way I have a means to trigger a service restart on all my servers without having to manually connect/remote desktop to each server. Of course, the second wcf service is secured by some means so it can't be exploited easily.
Is that the sort of thing you're looking to do?