EDN Admin
Well-known member
Hi,
We are in the process of upgrading to WIN7 support and finding issues with the existing impersonant security model we previously used. So i am looking for suggestions before we hit the code.
Application ABC.exe is running on a PC with restricted permissions.
I have numerous AD groups to simulate users to different security levels.
So ABC.exe is running in restricted mode and a supervisor would like to view ABC.exe configuration settings.
Currently we display a logon dialog, use those credentials to authenticate against LogonUser, then have a function
that recursively queries AD and builds a list of groups that user is in. then if the "WWPrograms_Admin" is in that list of groups we would then use the following code and launch another exe as that new user. I believe behind the scenes this is using CreateProcessAsUser.
Problem with this code is it is very slow it loads user profiles too (maybe 60 seconds).
So basically we are thinking about running separate Exes from our menu structure, which could also get clunky.
<pre class="prettyprint lang-vb Dim psi As New ProcessStartInfo
If Not My.Settings.LogonDialog.IsInGroup(String.Concat(Environment.UserDomainName, "WWPrograms_Admin")) Then
Select Case My.Settings.LogonDialog.ShowDialog
Case DialogResult.OK
If My.Settings.LogonDialog.Username <> "" Then
psi.Domain = My.Settings.LogonDialog.Domain
If Split(My.Settings.LogonDialog.Username, "").Length > 1 Then
psi.UserName = Split(My.Settings.LogonDialog.Username, "")(1)
Else
psi.UserName = My.Settings.LogonDialog.Username
End If
Dim sstrPassword As New Security.SecureString
For Each c As Char In My.Settings.LogonDialog.Password.ToCharArray
sstrPassword.AppendChar(c)
Next
psi.Password = sstrPassword
End If
psi.LoadUserProfile = True
Case DialogResult.Cancel
MessageBox.Show("Access Denied..." & vbCrLf _
& "Insufficient security, please try again." _
, "Security..." _
, MessageBoxButtons.OK _
, MessageBoxIcon.Warning)
Return
End Select
End If
Dim p As New Process()
With psi
.UseShellExecute = False
.FileName = "WWTimeClockStationEx.exe"
.Arguments = "WWTimeClockStationEx.Forms.frmOptions" _
& String.Format(" {0}{1}{0}", Chr(34), DirectoryContext.Instance().LocalConfigFileName) _
& String.Format(" {0}{1}{0}", Chr(34), DirectoryContext.Instance().ServerConfigFileName)
End With
stop usb devices for this app
p.StartInfo = psi
p.Start()
AddHandler p.Exited, AddressOf TimeClockStationEx_Exited
p.EnableRaisingEvents = True
p.SynchronizingObject = Me
p.WaitForExit()
p.Close()[/code]
what are the suggested best practices for such? we want the flexibility to add/remove somebody from AD and limit their user experience.<br/>
At some point we are going to build some internet access to these apps too.
Gary
View the full article
We are in the process of upgrading to WIN7 support and finding issues with the existing impersonant security model we previously used. So i am looking for suggestions before we hit the code.
Application ABC.exe is running on a PC with restricted permissions.
I have numerous AD groups to simulate users to different security levels.
So ABC.exe is running in restricted mode and a supervisor would like to view ABC.exe configuration settings.
Currently we display a logon dialog, use those credentials to authenticate against LogonUser, then have a function
that recursively queries AD and builds a list of groups that user is in. then if the "WWPrograms_Admin" is in that list of groups we would then use the following code and launch another exe as that new user. I believe behind the scenes this is using CreateProcessAsUser.
Problem with this code is it is very slow it loads user profiles too (maybe 60 seconds).
So basically we are thinking about running separate Exes from our menu structure, which could also get clunky.
<pre class="prettyprint lang-vb Dim psi As New ProcessStartInfo
If Not My.Settings.LogonDialog.IsInGroup(String.Concat(Environment.UserDomainName, "WWPrograms_Admin")) Then
Select Case My.Settings.LogonDialog.ShowDialog
Case DialogResult.OK
If My.Settings.LogonDialog.Username <> "" Then
psi.Domain = My.Settings.LogonDialog.Domain
If Split(My.Settings.LogonDialog.Username, "").Length > 1 Then
psi.UserName = Split(My.Settings.LogonDialog.Username, "")(1)
Else
psi.UserName = My.Settings.LogonDialog.Username
End If
Dim sstrPassword As New Security.SecureString
For Each c As Char In My.Settings.LogonDialog.Password.ToCharArray
sstrPassword.AppendChar(c)
Next
psi.Password = sstrPassword
End If
psi.LoadUserProfile = True
Case DialogResult.Cancel
MessageBox.Show("Access Denied..." & vbCrLf _
& "Insufficient security, please try again." _
, "Security..." _
, MessageBoxButtons.OK _
, MessageBoxIcon.Warning)
Return
End Select
End If
Dim p As New Process()
With psi
.UseShellExecute = False
.FileName = "WWTimeClockStationEx.exe"
.Arguments = "WWTimeClockStationEx.Forms.frmOptions" _
& String.Format(" {0}{1}{0}", Chr(34), DirectoryContext.Instance().LocalConfigFileName) _
& String.Format(" {0}{1}{0}", Chr(34), DirectoryContext.Instance().ServerConfigFileName)
End With
stop usb devices for this app
p.StartInfo = psi
p.Start()
AddHandler p.Exited, AddressOf TimeClockStationEx_Exited
p.EnableRaisingEvents = True
p.SynchronizingObject = Me
p.WaitForExit()
p.Close()[/code]
what are the suggested best practices for such? we want the flexibility to add/remove somebody from AD and limit their user experience.<br/>
At some point we are going to build some internet access to these apps too.
Gary
View the full article