Security :: Create A .NET Application Backdoor Entry?
May 12, 2010
I am wanting to from now on create a backdoor entry for every web application I build so that if need be I can shut it down.I had a nasty recent experience of a client not paying the bill, however the application was on his server, so when I used my backdoor access to alter a hidden record in one of my database tables to stop it from running, they had full control of the server and were able to look through ther SQL log and see what queries had been run at that time and then alter the record and prevent access to the table...
The only way I can think of that will be full-proof no matter where application is (providing there is web access), is to have ONE webservice running on my server with all apps listed, with a secure interface and the ability for me to turn off any application. Then every day, once a day, each of my client's applications (no matter which server they are on) communicates with this web service to see if it is allowed to run by referencing a GUID. This once a day check would be compiled into the main app DLL.
I'm working on logging for all the updates in my web application. I.e, When some one is logged into application or some one changed any thing application, I'm logging everything in log table. But, I just want to know whether I can create log entry when I click on Logoff and I'm using Login Membership control.
I have a web application. This application needs to perform a search on folders located on 2 different machines. I can use impersonation for this. But -
a. I don't want to use network service account b. I want to impersonate just the search part of the code. c. Specifying encrypted user name / password in web.config is one option. But this would be the last option.
Can I use a custom service account for the application pool for this? If yes, then how to impersonate a specific part of code using this?
Let's say I'm currently authenticated in an application (namely: applicationA) and I click a link that will take me to another application (namely: applicationB). Is it correct that in order to bypass authentication of applicationB, I'll just create a ticket for that application telling the web server that I'm already authenticated?
I have an application which is installed on local pc and is using SQL db. It is a client management system where I want to add capability to register new clients and give them access to my web site which is sharing the same SQL database with local application.
At the moment clients can register on the web site and I have ASP.NET authorisation system set up with aspnetdb_user, aspnetdb_membership and etc tables. But sometimes it happens that I need to register clients on my local application on PC and ideally would like that registration to create online account for the client as well. Then I want to be able to send him user id and password by email and let him know that he has been registered in my database and online account is ready for him as well.
Basically I want to have full synchronization between asp.net membership service and local application through SQL db. As I said both online and local apps are shareing the same SQL database. what would be the best practice to implement it.
Suppose that you have a big Data Entry Web Application Like Microsoft CRM, what is the strategies and technologies that you follow to build a website like it?
I don't want to use any Dynamic Web Page Generation software, because it have a lot of limitations.. Also I don't want to design every page and repeat everything
While converting a desktop application to a web app, I've run across my ignorance when attempting to implement a multi-column data entry form using CSS. I'm resolved to avoid using tables for this type of thing, and while I found a good reference to laying out a data entry form, I can find nothing that applies to multiple-column layouts like this one:
I've been required to create an entry form to capture details relating to a travel booking. A user should be able to make a booking entering details related to the booking specifically the details of the persons that would be making the trip. This would involve a sort of parent-children relationship between the booking and the persons.
This would be relatively easy for me to achieve using web forms but then how can I easily achieve this is MVC using a single view? Do I have to create a sort of multistep form?
After I developed the system by usin vs2008 , my supervisor asked me to develop form in the interface  so they can enter information about projects as(project code,project title, country,sector,year) to the database with out dealing with the database in the  backend .. so how can i develop it because i am still new to the vs.
I already have 2 web applications running. both of them are using membership and accessing the same database but their application names are different. so basically in my aspnet_Users table, i have users with different applicationIDs and in my aspnet_Applications table I have 2 records in there. so i have 2 separate login locations
..app1login.aspx ..app2login.aspx
What my the business wants is to only have a single point of entry. so they want something like this
..applogin.aspx
and by verifying the username and password pair, my code should be able to route to the appropriate app and bypass its login form. (don't be concerned about the duplicate username between applications, it's been taken cared of)
so I'd like to solicit suggestions from you how should I implement this without modifying my existing setup? and where should I place this login web form in my website? this is the current site structure:
I have to implement broker and dealer socket connection like in share market i.e. it should connect at 9 AM and stop at 3.30 PM and repeat in next morning ...
so following is my requirement
1) i have to create application object once in day at 9 AM and destroyed at particular end day 3.30 PM.
My question is how to destroyed application object at given particular time ... i think this can be done in application_end handler in global.asax ... but my question is when no request is made at that time then what happened..
I'm trying to deploy an ASP.NET application using InnoSetup. I need to perform the following tasks:
Create an IIS application.
Create a new IIS application pool and set it's .NET version to 4.
Set the application pool of the new application to the new application pool.
I have found a script to create a virtual directory, but I need an application and application pool:
procedure CreateIISVirtualDir(); var IIS, WebSite, WebServer, WebRoot, VDir: Variant; ErrorCode: Integer; begin { Create the main IIS COM Automation object }[code]......
a. I want to have User A as a common user for both application X and Y. b. User A can have different roles on X and Y. Eg. Read permission on Y and Write Permission on Y.
How do i configure ASP.NET membership to achieve about functionality.
We are using membership provider for LDAP authentication. It is working as it should.
But what all configuration settings I have to do so that all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.
We need to have this working because all the permissions on the database are based on the logged in user.
We are using form authentication for LDAP authentication. And having impersonation = true in web.config.
Security Exception Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.Local its run fine. when i place in iis. it throw this exception.
My website security is configured with "Windows Integrated Security" only (anonymous is disabled).
I also want to set a specific account to run the w3wp.exe process using the Application Pool Identity to a domain account.
Running directly from the server works without any problem but from remote computers I always get the authenticaion window then the 401.1 error (after 3 attempts).
It seems that its the combination of "Windows Integrated Security" along with the "Application Pool Identity" that causes the problem. When I disable one of the two it works properly.
My server is Windows Server 2003 R2, running IIS 6.0.
i developed an asp.net(2.0) applicaions which contains the attachments of the clients . these attachments are saved in the shared folder and retrive the file when the user requests.if i maintain the application and the shared folders in the same system it will work properly.if i maintain the application in one server and the file folder in the other server i face a lot of security issus like1.Access Denied2.Couldnot find the part of the path......for this i made an common account for the application server and the file server and also set impersonation to true.Even the i got the couldnot find the part of the path error.i already gave the everyone with full control to the shared folder and i added the common account and gave it to full controlIs there is any alternate for the save and retrive the files to and from the shared folder.
Here is 2 web applications: 1 is asp.net, another is J2EE base webapplication.Both them are using same AD ( e.g. DomainTest ) as authentication source.Question here:1. User log in the asp.net application ( form based log in DomainTest, not IE prompt authencation dialog ), on the left navigation ( link to J2EE web application), just click this link, SSO to J2EE application.I think should transfer identity token from asp.net to J2EE, but don't know how, and for JSP, how to modify it to use token tranferd from asp.net ?
I am making application in asp.net and I wanted to implement security features in my application I want help from you experts with good logic on implementing security Field Level, Button Level and different DIV section level security. Where I wanted like read only, addition, edit and delete and also I can make Groups and then assign user in that so that group security I can give. Customize security for some users.I am ready to use some DLL or Active X which give me above.
Before I was using database for security logic where in I was putting some codes in comma format and was looking that for specific control on form load but it have disadvantage that when some user have access to database that can alter make problem.
I m sure this question has been asked before. I have a web application hosted underhttp://localhost/abc. which is mapped to c:inetputwwwrootabc folder. I have APP_Code, App_LocalResources, BIN and other folders under abc folder. Everything is great. Now I want to create another application or sub application http://localhost/def. Both abc and def apps need to use some common classes and resources. Whats the best way to do it. I dont need to create a separate application for def. All i want is the url http://localhost/def.
I am doing Automated coded ui testing in asp.net 2010 for web application. I am testing site and i need to know how can i create the test which will work with all browsers. Right now i created test in IE 8 but its not working in Firefox. So is there any way i can create one test and will work in all browser.
I have a C# 4.0 WinForm application that creates new Membership users using Membership.CreateUser(). I've created 1,000+ users. I run into problems when I access those same users from my Web application specifically MembershipUser.GetPassword(). I'm able to get the user in the Web app but when I try to get the password using MembershipUser.GetPassword() I get the "Unable to Validate data" error everytime. If I use the MembershipUser.GetPassword() method in the WinForm application it works fine. I'm using the same MachineKey in both applications.
