Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Windows password
- Thread starter Syerston
- Start date
mattKnight
Programmer
Syerston
I appreciate that the forum search is still down!
This question has been asked many times before... and the answer is No.
However, there are alternative ways to achieve what you want to do.
Some options are discussed in thread222-418617. If you need further help regarding these options, post back!
Matt
I appreciate that the forum search is still down!
This question has been asked many times before... and the answer is No.
However, there are alternative ways to achieve what you want to do.
Some options are discussed in thread222-418617. If you need further help regarding these options, post back!
Matt
- Thread starter
- #3
Matt
Thanks for replying.
The main reason for posting is to obtain a method of one secure logon.
I appreciate that using windows authentication via SQL 2000 allows for a secure logon. My problem is that when users log on to the domain they invariably leave the session running (against Company policy I should add). Therefore anyone coming along would be able to log on to the applications without further prompt.
The only alternative is to use SQL authentication which will then lead to various different passwords as we have 8 SQL servers.
John
Thanks for replying.
The main reason for posting is to obtain a method of one secure logon.
I appreciate that using windows authentication via SQL 2000 allows for a secure logon. My problem is that when users log on to the domain they invariably leave the session running (against Company policy I should add). Therefore anyone coming along would be able to log on to the applications without further prompt.
The only alternative is to use SQL authentication which will then lead to various different passwords as we have 8 SQL servers.
John
Related to this...
The other thread deals with SQL auths. I have a new program that requires auditing. The problem is it doesn't use a DB. The auditing requires a user starting or stopping the program to enter a user name and password. This way I can write to debug logs who has done what.
SO I was thinking that rather than create my own algorythms for encryption I would use Windows Security. i.e. Adding a few users to the PC (Workstation level). Then using VB to somehow veryfy that the password they entered is valid.
Is that possible. I don't want to get the password, all I want is to have them enter a user name and password, send this to windows and let it tell me if the login and pass are valid. So a yes/no response.
Craig, mailto:sander@cogeco.ca
Si hoc legere scis, nimis eruditionis habes
The other thread deals with SQL auths. I have a new program that requires auditing. The problem is it doesn't use a DB. The auditing requires a user starting or stopping the program to enter a user name and password. This way I can write to debug logs who has done what.
SO I was thinking that rather than create my own algorythms for encryption I would use Windows Security. i.e. Adding a few users to the PC (Workstation level). Then using VB to somehow veryfy that the password they entered is valid.
Is that possible. I don't want to get the password, all I want is to have them enter a user name and password, send this to windows and let it tell me if the login and pass are valid. So a yes/no response.
Craig, mailto:sander@cogeco.ca
Si hoc legere scis, nimis eruditionis habes
mattKnight
Programmer
Syerston
>My problem is that when users log on to the domain they invariably leave the session running (against Company policy I should add).
Perhaps some way of enforcing the policy might be an option?
>Therefore anyone coming along would be able to log on to the applications without further prompt.
Not neccessarily, if you are using a DB you could create a table with userid and password (not domain). This does mean that people will have to remember 2 passwords. You should encrypt the stored Passwords somehow; as users, being users, will set the app password to their current domain one!
>The only alternative is to use SQL authentication which will then lead to various different passwords as we have 8 SQL servers.
Again, not strictly true, you could still use integrated security (i.e.domain) for your connection.
Hope that provides some pointers
Matt
>My problem is that when users log on to the domain they invariably leave the session running (against Company policy I should add).
Perhaps some way of enforcing the policy might be an option?
>Therefore anyone coming along would be able to log on to the applications without further prompt.
Not neccessarily, if you are using a DB you could create a table with userid and password (not domain). This does mean that people will have to remember 2 passwords. You should encrypt the stored Passwords somehow; as users, being users, will set the app password to their current domain one!
>The only alternative is to use SQL authentication which will then lead to various different passwords as we have 8 SQL servers.
Again, not strictly true, you could still use integrated security (i.e.domain) for your connection.
Hope that provides some pointers
Matt
mattKnight
Programmer
yacyac
Good suggestion, but that method would only shut down the application.
Syerston needs to ensure that the user using the application is the user currently logged in to the domain, so closing the application is not solving the problem. Its a bit harsh, but if the system is inactive for a while maybe logoff current session, shutdown the system or maybe lock the system. Perhaps, a custom screensaver might fit the bill.
Matt
Good suggestion, but that method would only shut down the application.
Syerston needs to ensure that the user using the application is the user currently logged in to the domain, so closing the application is not solving the problem. Its a bit harsh, but if the system is inactive for a while maybe logoff current session, shutdown the system or maybe lock the system. Perhaps, a custom screensaver might fit the bill.
Matt
mattKnight
Programmer
strongm
I assume you are talking about LogonUser api? As a general question I ask, is it correct that we (as a forum) should show ways in which NT security (such as it is) can be compromised?
Having watched your "sneaky" tricks in code , with much interest and admiration (crawl crawl
) I am sure that you could (and probably have!) write a password cracking engine. Again I am sure that both Syerston and CraigSander have honest intentions, but can you guarantee that every other user or visitor to this forum is as honest?
If you do feel it appropriate to show how Syerston and CraigSander question can be answered then please do so. I personally feel that johnwm (I think) posted, "persistent attempts to bypass security should be red flagged"
I am sure that you will respond with a valid argument as to why an answer should be posted: I look forward to reading it
Syerston and CraigSander
I have thought of another solution that may solve your requirements, for NT and w2k at least. I admit it is a bit brutal but here goes
Hope that helps
Matt
I assume you are talking about LogonUser api? As a general question I ask, is it correct that we (as a forum) should show ways in which NT security (such as it is) can be compromised?
Having watched your "sneaky" tricks in code , with much interest and admiration (crawl crawl
) I am sure that you could (and probably have!) write a password cracking engine. Again I am sure that both Syerston and CraigSander have honest intentions, but can you guarantee that every other user or visitor to this forum is as honest?If you do feel it appropriate to show how Syerston and CraigSander question can be answered then please do so. I personally feel that johnwm (I think) posted, "persistent attempts to bypass security should be red flagged"
I am sure that you will respond with a valid argument as to why an answer should be posted: I look forward to reading it
Syerston and CraigSander
I have thought of another solution that may solve your requirements, for NT and w2k at least. I admit it is a bit brutal but here goes
Code:
'API declaration
Private Declare Function LockWorkStation Lib "user32.dll" () As Long
'put the following in form load or whatever
' don't forget that the lock doesn't "halt" program execution
Private Sub Command1_Click()
Dim lRes As Long
lRes = LockWorkStation() ' Brings up standard Locked screen
'user will only be able to bypass wit their password
'and admin rights of course
If lRes = 0 Then
MsgBox "unable to lock", , "Error"
End IfHope that helps
Matt
mattKnight
Programmer
oops
should read
I personally agree with johnwm who, I think posted, "persistent attempts to bypass security should be red flagged"
Matt
should read
I personally agree with johnwm who, I think posted, "persistent attempts to bypass security should be red flagged"
Matt
mattKnight
Programmer
strongm
Ok, I can climb dowm from the soapbox now!
Matt
Ok, I can climb dowm from the soapbox now!
Matt
I dont believe that the LogonUser api call is something to keep secret. It merely passes back a logon token telling whether it was a match or not. The code is easily available...I believe you can get it from msdn online, .If a person is using it for the wrong reasons, it is nothing that a password generator wouldnt do.
SemperFiDownUnda
Instructor
>>My problem is that when users log on to the domain they invariably leave the session running (against Company policy I should add).
>Perhaps some way of enforcing the policy might be an option?
mattKnight is right. If it is a policy that people do not leave their workstations unattended then that policy needs to be inforced. I was in the USMC for 6 years and working in command centers it was a huge blunder to leave your workstation on if you left, heck our desks where designed to actually lock up and had to be if we where not sitting right at them. But this my be a bit drastic for normal companies.
Easiest solution is to have a policy (Domain login user policy) that starts the screen saver after 1 or 2 minutes of and requires a password and provide a shortcut to activate the screen saver at any time.
Then if the employee is found away from their desk while the workstation is not locked in some way then they have documented standards that dictate what happens. This can be anything from a warning to instant dismissal depending on how sensitive the data is.
Having a routine that programmatically compairs passwords would be a security hole because without other NT policies you'd just have give it time before you get the password. Weakening a password is pretty easy and knowing the policies can make it easier in a way. Things like knowing that a character can not be used twice in a row like "B00kM4k3R" where 00 isn't aloud helps because now instead of 82^n what you really have is 82*81^n-1 add in that you know that they need to use atleast 1 capital and 1 number and 1 special character in their password it cuts it down a bit further then think about when you type in your password though someone might not catch the whole thing if they catch 1 or 2 letters then it weakens it even more AND if they happen to catch the first or last character that is a huge weakness.
Thank god this isn't a big issue with todays OS's as any administrator worth a penny would have security policies that would stop you after just a few password attempt.
From a design perspective I think multiple logins is stupid if you have other policies in place. Even if it is the same password everywhere it is annoying and unnecissary. Soon it won't be a problem. You'll probably find that within 5 years you'll have things like biometric keyboards and mice that can be used so that only authorised people can use a given computer. I've already got a USB Key that only lets data be taken off of it if I've ID'ed myself via a thumb scanner on the key.
8) Love technology 8)
>Perhaps some way of enforcing the policy might be an option?
mattKnight is right. If it is a policy that people do not leave their workstations unattended then that policy needs to be inforced. I was in the USMC for 6 years and working in command centers it was a huge blunder to leave your workstation on if you left, heck our desks where designed to actually lock up and had to be if we where not sitting right at them. But this my be a bit drastic for normal companies.
Easiest solution is to have a policy (Domain login user policy) that starts the screen saver after 1 or 2 minutes of and requires a password and provide a shortcut to activate the screen saver at any time.
Then if the employee is found away from their desk while the workstation is not locked in some way then they have documented standards that dictate what happens. This can be anything from a warning to instant dismissal depending on how sensitive the data is.
Having a routine that programmatically compairs passwords would be a security hole because without other NT policies you'd just have give it time before you get the password. Weakening a password is pretty easy and knowing the policies can make it easier in a way. Things like knowing that a character can not be used twice in a row like "B00kM4k3R" where 00 isn't aloud helps because now instead of 82^n what you really have is 82*81^n-1 add in that you know that they need to use atleast 1 capital and 1 number and 1 special character in their password it cuts it down a bit further then think about when you type in your password though someone might not catch the whole thing if they catch 1 or 2 letters then it weakens it even more AND if they happen to catch the first or last character that is a huge weakness.
Thank god this isn't a big issue with todays OS's as any administrator worth a penny would have security policies that would stop you after just a few password attempt.
From a design perspective I think multiple logins is stupid if you have other policies in place. Even if it is the same password everywhere it is annoying and unnecissary. Soon it won't be a problem. You'll probably find that within 5 years you'll have things like biometric keyboards and mice that can be used so that only authorised people can use a given computer. I've already got a USB Key that only lets data be taken off of it if I've ID'ed myself via a thumb scanner on the key.
8) Love technology 8)
- Status
Similar threads
- Locked
- Question