3

In a windows WPF desktop app I am using System.Environment.UserName in this way:

 var q = from l in db.Logins where 
                         l.WinLogin.Trim().Equals(System.Environment.UserName, StringComparison.InvariantCultureIgnoreCase)
                      && l.WinDomain.Trim().Equals(System.Environment.UserDomainName, StringComparison.InvariantCultureIgnoreCase)
                        select l.LoginID;

  var login = q.FirstOrDefault();
  if (login == null)
    /*Access rejected*/
  else
    /*Access granted*/

I am wondering if the content of the System.Environment.UserName & System.Environment.UserDomainName can be easiliy faked (set to someone's else account) within windows domain or not by a non administrator user. I hope that this authentication is OK for a normal windows app that does not require top security, just want to make sure I did not overlook something obvious.

For instance if I create home workgroup with the same name as the windows domain has and then create a user within that workgroup and then connect using VPN to that windows domain and install the app on the home workgroup computer, will I fake theese variables and get the access or not?

Vojtěch Dohnal
  • 7,867
  • 3
  • 43
  • 105
  • Faked by whom? By the user? Of course, he can just modify your code or the .NET Framework code. – usr Sep 23 '15 at 12:42
  • @usr But without plb files it would be quite difficult and demanding work, am I right? – Vojtěch Dohnal Sep 23 '15 at 12:46
  • 3
    Editing a .NET binary is super easy. Decompile, edit recompile for example. If your users are not capable of doing that then I guess this might be good enough... It's not real security, though. – usr Sep 23 '15 at 12:48
  • As per this thread http://stackoverflow.com/questions/2525/net-obfuscation-tools-strategy it should not be so simple. – Vojtěch Dohnal Sep 25 '15 at 06:15

1 Answers1

3

No, the System.Environment variables are for that machine only. The username and domain name can't be faked. The call is eventually handled by ADVAPI32, which is the Windows component in charge of internal Windows stuff.

You can't fake it using VPN or other methods either. That doesn't mean they can't get between the app and the database you are connecting to. Make sure to secure that too.

Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
  • Thank you I will test it from home. The problem is, that when I run the app from home it authenticates against local user and computer name and not against VPN domain account used to log to the domain. – Vojtěch Dohnal Sep 23 '15 at 12:40
  • 1
    If you are running on your home PC, yes. It takes the home PC information, not that of the domain you are connecting to. – Patrick Hofman Sep 23 '15 at 12:41
  • Checked it and could not fake it mainly because the domain name contains a dot character which is prohibited in the windows computer name, so for me this is enough. – Vojtěch Dohnal Sep 23 '15 at 18:22