stackoom
  简体   繁体   中英

Running Self Service C# Winform at Windows Login Screen

 原文  2016-10-19 08:59:13       c#/ asp.net/ windows/ login/ credential-providers

Question

I have written a Self Service Password Reset Tool for our internal company users as a C# Winform.

This app consumes other custom Asp.net web services using HTTPS and client certificate based authentication to either generate a random 6 digit code and send to a mobile device or retrieve 3 security questions that have been set by the user when they have enrolled for Self Service.

The Code/Answers are sent back to the web service, if verified, the users AD account is unlocked and their password reset server side.

I think this is all pretty common in any SSPR Tool and is all working fine if accessed from another users machine, however...

Because of the nature of the problem being that the user cant access their machine at the time they need to reset their password, I have been asked if this app can be launched from the Windows login screen.

I have written a POC custom credential provider which adds a new "tile" to the windows 7 login screen and launches my app when its clicked but I cant help but think this may be a really bad idea.

Because of where its being launched from, the app runs in the context of the local SYSTEM user which is already making me nervous!

Looking at other "paid for" SSPR Tools that are out there most seem, at face value to be doing something similar ie running an external app at the login screen?

  • Is running any app as SYSTEM at the winlogin screen a complete no-no?

  • If not, are they any recommendations I should be following to plug any vulnerabilities?

  • Is there anything else I could do to reduce the risk (some sort of impersonation/de-elevation when my program is first run?)

1 answers

solution1
 0  2017-02-21 21:20:06

On windows credential provider you can either get it to log in and then launch your self service app. We tried this and the process itself takes too long.

instead we did the following

created a Web app that allows you to register for self service. either questions answers or register an alternate email address. this is all trivial stuff.

the fun bit was we created a Winform app with a browser component for that url only. we then created a credential provider that has a link which when clicked would open up the winform app. we ensured that no right clicking or the ability to launch new windows by configuring the Winform as such.

now if a user has forgotten their password they just click on the link at pre logon. Winform loads and they do their business. and then close the Winform. it's all done at log on screen.

note. if u try to implement using wpf instead of Winforms the application takes quite some time to load.

happy to share code. just tell me what u need. also make sure when creating credential providers that you give them unique ids and not just use Microsoft samples. you also need to disable the original credential provider otherwise you end up with duplicates. we used Group policies to disable accordingly.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question C# Winform login using windows'user Winform inside a windows service in C# - Possible? C# Windows service self terminate service creating resolution independent winform,set resolution for C# winform, get the screen resolution on which the winform is running The C# service running in Windows 8 but is not running in Windows 7 How to call Winform method from Windows service in C# c# winform screen resolution C# WinForm - loading screen C# Windows Service Login validate a user C#: capture screen from Windows service
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM