0

So in the past I have always developed windows forms client software while inside the work network, we went on the lazy rule that no external hardware is allowed on site, nobody can tamper with the hardware so software was always going to be run within the network which were all joined, this allowed me to lazily set the context as follows:

WindowsPrincipal wp = new WindowsPrincipal(WindowsIdentity.GetCurrent());
Thread.CurrentPrincipal = wp;

So now I have been asked to write an application which is going to be running on sales-rep laptops. I can't 100% guarantee that they don't take that software and run on their home PC and have it "pretend joined" to a network. I know I can detect what network name they might be joined to, but what is the correct approach for guaranteeing that the network IS in fact OUR network? Is there some sort of fingerprint I can embed inside the application itself for determining if the network is our work network?

pnuts
  • 58,317
  • 11
  • 87
  • 139
Brett Ryan
  • 26,937
  • 30
  • 128
  • 163
  • I don't know the specifications of your network, but maybe you can check for (your) running VPN client? The Network-Name should also do it, cause I can't imagine that anyone has your Company-Network-Name set up in his home lan. – bastianwegge Apr 19 '11 at 10:06
  • I could check network name, but it would be simple for someone to simply join a fake network with that name. I wanted to know if there was a more robust way of determining if the network is actually in fact that name. – Brett Ryan Apr 20 '11 at 02:11

2 Answers2

1

If it is just a basic network name check you want you can just use the identity name (WindowsIdentity.GetCurrent().Name) which should contain DOMAIN\username. Once you have that plenty of ways to split the strnig and retrieve the DOMAIN name (see Built-in helper to parse User.Identity.Name into Domain\Username).

As wegginho mentioned in the comments though someone could theoretically set their network name to the same network.

Community
  • 1
  • 1
mundeep
  • 2,727
  • 1
  • 22
  • 24
  • I can get the network name no problem, but I can't guarantee it's "our" network. This software will be running on sales rep laptops, in the unlikely event that a laptop is compromised, a malicious user could simply join a network with the same domain on another machine, copy the software to it and the software would think it was running on our network. The best way I know to tackle the problem would be to check the SID's for the groups required but this seems more likely to break. I wondered if there was an SID for the network name itself. – Brett Ryan Apr 20 '11 at 02:24
1

Gosh, that's what you meant. Head meets table in my place. What you need is a License-Server. You're obviously describing a company license situation! Do you have an MSSQL-Server in your network?

  • Create a User like your_program_nameLCU (license check user)
  • Create a database where the user has read access
  • Create a Try-Catch for the situation when the database is not accessable
  • Obviously he's not in your network so shut down the program!

Addition to that:

It work's very well with VPN! And I guess that's what needed too!

bastianwegge
  • 2,435
  • 1
  • 24
  • 30
  • Aha, an interesting way to tackle the situation, though unfortunately we aren't using MS-SQL server. I would be interested to know how MS-SQL server does it though. I am probably being over-paranoid as I think our rep laptops have encrypted HDD's and have strict policies surrounding passwords. I guess it's better to be paranoid than have a red face when management glare at you when something does go wrong ;) – Brett Ryan Apr 21 '11 at 08:59
  • The SQL-Server was just an example. You can also use any other type of network access. Maybe you place a file on a server and in your program-startup you search for the file. Concerning you only want to have the programm running in your very own company network. If the "search file" algorithm returns an error you catch it and quit your program! – bastianwegge Apr 21 '11 at 11:33
  • Nice idea, I guess it's a bit of a hack way to do it. App will be offline accessible with online mode, as part of turning on offline mode I'll just simply access a file-share like you mentioned. Thanks. – Brett Ryan Apr 22 '11 at 18:15