I'm writing code which connects to Active Directory to query and manipulate user accounts. This code includes test sets. I'm currently developing this solution on my home machine, but to test against AD I need to connect to the company's network over VPN. My home machine is not on the company domain, but I need to run under a domain account in order for the AD queries to work. Is there a simple way to do this, or is my only straight forward option to remote onto my company workstation and run the tests there, or have my personal machine added to the company's domain?
I've no real experience with AD, though this is not an issue at all. In fact, this will help prove my point.
Lets say there is a method to return all users within a group, in the code I was developing if I was yourself, I would abstract this behind my own interface. For example:
public class UserGroupFinder : IGroupFinder
{
public Users FindBy(Group group)
{
// Code to interact with AD here
// Note, Users and Group would be my own classes, not AD.
}
}
Then I would write the application in question against IGroupFinder, rather than a real, fully fledge AD system. This means I could write unit tests (or other automated tests) from home, your office or anywhere for that fact!
As long as your code "does the right thing" once it finds all users for a group you should be fine. For example, you could filter the results of this query for all users that have a surname beginning with "F". This is your domain logic, nothing to do with Active Directory. You will test drive this, not the code required to interact with a third party.
The last step would be to actually create the concrete instances of your domain objects. So once you have a system where AD is configured, you can actually begin to wire these implementations up. I would not unit test this, because by this very definition this is not a unit test. This code will simply be a call into third party code, which will be tested by Microsoft.
Related
Security is not my area of expertise. I am working on a lightweight administrative Laravel web app for internal use by company (small) employees:
The app is intended to be used only by the employees
Remote work (from home) is not uncommon
Smartphones and laptops are usually used when working remotely
I would like to secure it as much as possible - beyond authentication, access controls or 2FA. I am trying to think of ways to make it virtually invisible to the public, but still available for the employees. Defining proper rules for crawlers might make it a bit more obscure but I think more could be done. Network based restrictions would limit the employee flexibility.
Based on this I got the idea that the app could be made available only if the request is made by an authorized device. I am not sure however whether or not this is a good approach. Neither do I know how to tackle the problem of authorizing the various devices and making that information available to the server during communication.
i.e. How would I tag a device as authorized so that I only have to do it once and can reliably validate the information in a web app? Regular authentication as well as role based access would still be in place but the app could return a 404 response if the accessing device is not whitelisted.
Is there a way to achieve something like this while not making it too restrictive for the users or painful to set up? Or is there a better method for achieving the same result?
Consider a VPN?
If you are hosting the device on an internal network, you could see if the IT dept. can set up VPN access to work remotely (in most cases, this is already in place) and then it does not need to be accessed over the internet via a URI. Instead you can simply navigate to the internal address once you're in the network through the VPN - no public access and no need to worry about pesky web crawlers!
It also makes it easier to moderate your application. For example, if an employee leaves the company you can simply revoke their VPN access and they'll no longer be able to access the application.
We have a custom Active Directory integrated web app that helps users perform some self-service on their accounts (e.g. update photo, change phone number, reset password etc.) Our app runs on domain-joined servers, as Local System, and is thus able to authenticate to the AD using the server account(s).
We use a service connection point, that the app's clients use to locate an instance of our app. (Our app clients are hard-coded to look for certain keywords which are published on the servie connection point's keywords attribute.)
We recently had a situation wherein someone (we believe accidentally) changed the keywords on one of the service connection points resulting in an outage, since the clients could no longer find our SCP when querying the AD for our keyword(s).
The customer is a bit upset about this and wishes for us to provide them the ability to determine who can change the keywords on our SCPs. This feedback was passed on from our sales guys to us, and now we need to provide some way of helping them figure out who can change the keywords on our SCPs.
So, we're looking for an API to help us to determine Effective Permissions on our Active Directory service connection point objects, so we can alleviate this situation for the customer. We couldn't quite find an Effective Permissions / Access API that could help us list all the users who have effective write access to the keyword and other attributes on our SCPs.
Is there an API/other way that one can use to determine Effective Permissions on an Active Directory object?
It needs to be able to list all the users who have a specified access on a specified set of attributes of an Active Directory object.
This stack overflow post may be able to help you. LINQ to LDAP should also allow you to access the information pretty easily as well.
I'm trying to connect to Active Directory to look for a specific user, edit that user's properties and save the changes. Seems like a simple task, but I'm having a hard time putting this thing together.
I've tried using VBscript, and allthough it seems it can be done, I have to add the administrator username and password in clear text. Which is NOT a good idea. The script is also triggered from regular users which have no access to Active Directory. So the initial script needs to fire a second script that is run as domain admin.
Someone gave me a tip though. Create a web page or a windows service that the script can call. And that service or webpage connects to AD and makes the actual changes. I guess a windows service would be the cleanest way of doing this.
But I only have Visual Studio Express and it seems I cannot create a windows service with that. The initial script needs to be vbscript, because it's being run from a software where only vbscript is supported.
So what would be the ideal solution here? Would it be possible for the first vbscript to collect the data it needs, pass those as arguments to a second vbscript that makes the actual changes? A vbscript would be easier to maintain, if I need to update more user properties than those I need right now.
We do use Sharepoint as well. Perhaps I could create a webpart that uses javascript to collect the data passed from the initial vbscript and connect to AD that way? Just brainstorming here to find the most appropriate solution :)
The fact that you need to have the administrator's username and password in the script should point out to you that what you're asking for is security through obscurity. Somewhere in your solution, there will be a username and password hardcoded or a program that will perform these tasks without authorizing the client. These are security holes that I would avoid at all costs.
Having said that, the service is probably the least vulnerable. Even though VS Express doesn't have the template, it's not hard to create a service manually. Use WCF to communicate. Run the service as a managed service account, and give that managed service account only the rights it needs to perform its task.
I have a python application designed to run as a service on Linux, and I've been asked to install it on a Windows XP box in an office where there are no Linux machines (for me, this makes it a bizarre and confusing place as I have virtually no experience developing for Windows).
On Linux the application has its own user, and the application and database credential file reside in an encrypted folder accessible only by that user. (I'd like to state that I am not a cryptologist, and that if there are already glaring security errors in this set up I'm very happy to have them pointed out to me!)
How can I achieve an equivalent level of security by similar or different means on a Windows XP machine? That is to say, how can I prevent those who have access to the computer or the disk altering the program or reading the credentials?
A little background: the host windows box is a workstation used every day by users with non-administrative privileges. The secure assets are personal data roughly as sensitive as, for example, a school report. The application is intended to be used by about 10 people who authenticate to the application with individual passwords (stored salted and hashed in the database).
There is a very similar question that received the answer:
on Windows you would store the credentials in the registry in a location protected by an ACL
However, it doesn't touch on the aspect of protecting the program files, and further it seems to assume a higher level of Windows experience than I currently enjoy :) I have no idea how to protect registry items with an ACL, nor how I would then be able to access the protected keys from my program. Simple instructions for a developer in an unfamiliar environment would be greatly appreciated!
Your question is unclear about what your application does and what your security requirements are. I'm going to make some assumptions, and provide an answer based on them. If these assumptions are incorrect, please clarify in a comment and I'll update.
I'm assuming you have an application that:
stores sensitive data in a database stored in a DBMS installed on the workstation
is installed on a shared workstation
each user has their own login (non-admin)
allows different users to log on and interract with their data
user runs applicaiton which connects to a service
service connects with database, delivers data to users
service runs under its own user account
If this is correct, then you shouldn't have much issue.
The service can run under any account, but it would be easy enough to have it run under one of the standards (Local Machine or Network Service). Configure the database so that only this account can access it. In Sql Server, I'd only grant that user account (and admins on the box) login and access rights to the database.
This is the only security you need, if the users aren't admins. Now, when the frontend connects to the service, the user can provide the username/password and the service can authenticate against salted and hashed passwords stored in the database. All this is secure as long as 1) each user has their own login 2) communications are secure (using named pipes or SSL) and 3) no virii or keyloggers are running under an admin's credentials.
You can configure your service as to what account it runs under by running services.msc (or right-clicking on MyComputer and selecting Manage or clicking on Services under the Admin tools menu in Control Panel or probably in a number of different ways).
Bring up the list of services, right click on your app and hit Properties. From there, make it look like this:
We need to ensure that a Windows app that we make (which includes Office plugins) works right when installed in a Roaming Profile environment. Can anyone supply procedures, or a pointer to procedures, for
Setting up a test AD domain for use in testing with roaming profiles
testing
The fact that we've got Office plugins implies, of course, that we've got COM objects.
For the proper configuration of Active Directory I would look at a post over on ServerFault as that is more of a server configuration item.
From a testing standpoint, your test operation is quite simple.
Install it on one machine
Validate that it is functional
Login to the other machine and validate that the process is still working.
Now, all of this is a bit limited depending on how the roaming profiles are setup, as many times, installed applications are not going to be coming across, their configuration/options obviously will as they are stored in the roaming profile of the user, but the application itself must be installed on each machine, once installed, then settings/options are there across the board.
NOTE
This test scenario does assume that a user with a roaming profile has the same permissions to access every machine on the domain. If you are in an environment where users might have limited permission sets depending on the machine that they login to, you will need to modify the above criteria to include testing on each of the "limited access" machines in addition to a full access machine.