Winforms security

[Ethan Strauss]

Hi,
I am working on a Windows form application (C#.Net 2.0) and have found
out that it needs to be able to do the following:
Have the application start in Administrative mode the first time it is run
after installation.
Make the administrator to alter the admin password.
Allow the administrator to create new users with or without admin access
After the first time it is run, require logon
Maintain its own list of username/passwords, not one associated with Windows.

I have never dealt with security except in a web environment where all the
username/password type information was stored on the server. Everything I can
think of to store username/password on the local system seems vulnerable
someone local breaking into it. Can anyone point in the right direction for
how to set something like this up?

Thanks!
Ethan

 

[Ignacio Machin ( .NET/ C# MVP )]

Hi,
   I am working on a Windows form application (C#.Net 2.0) and have found
out that it needs to be able to do the following:
Have the application start in Administrative mode the first time it is run
after installation.
Make the administrator to alter the admin password.
Allow the administrator to create new users with or without admin access
After the first time it is run, require logon
Maintain its own list of username/passwords, not one associated with Windows.

I have never dealt with security except in a web environment where all the
username/password type information was stored on the server. Everything Ican
think of to store username/password on the local system seems vulnerable
someone local breaking into it. Can anyone point in the right direction for
how to set something like this up?

Thanks!
Ethan

What is your question about?
how to store the login/password or how to run it as admin the first
time?

Because first of all, you do not REALLY need to be an adminsitrator to
setup the users , heck you could even do this in the setup probably.
Regarding how to save the values, you can use a table in the DB or
even as simple as a XML text. you can encrypt the password and store
the encrupted data.

 

[Ethan Strauss]

What I really need to know is how to store the username/passwords.
I can set up everything else.
If I store it as an encrypted XML file, won't the encryption key need to be
in the code somewhere and thus, at least theoretically, be accessible?
Thanks!
Ethan

 

[Mr. Arnold]

Hi,
I am working on a Windows form application (C#.Net 2.0) and have found
out that it needs to be able to do the following:
Have the application start in Administrative mode the first time it is run
after installation.
Make the administrator to alter the admin password.
Allow the administrator to create new users with or without admin access
After the first time it is run, require logon
Maintain its own list of username/passwords, not one associated with
Windows.

The requirements above there are rediculous. You can only do so much.

I have never dealt with security except in a web environment where all the
username/password type information was stored on the server. Everything I
can
think of to store username/password on the local system seems vulnerable
someone local breaking into it. Can anyone point in the right direction
for
how to set something like this up?

Use .Net Role based security, keep roles, user-id and encrypted password in
an Access database table. All of the how-to(s) on how to do it is out there
on Google or Dogpile.com

 

[jp2msft]

Just a thought: You could store a SHA encryption of the username and password
in a file, and just compare these whenever the administrator attempts to log
in.

SHA encryption is just one I have worked with before. There are others, but
at least it gives you something to google.

 

[Ignacio Machin ( .NET/ C# MVP )]

What I really need to know is how to store the username/passwords.
I can set up everything else.
If I store it as an encrypted XML file, won't the encryption key need to be
in the code somewhere and thus, at least theoretically, be accessible?

no really, you do not store the password, you stored a hashed
representation of it. The drawback is that you cannot go back, meaning
getting the password from the value stoerd in the file. but this in
general is not a problem.