Use Windows Credentials as Application Password
"Use Windows Credentials as Application Password" does not work as we expect it to.
When you are asked for Credentials, ANY Credentials would do.
This could be accepted, if the logs would be written with the user who entered his credentials.
But the datasource user is taken for logs.
I recommend to overwrite the logging function in the case that another user has started the application.
So we could have a central user for windows logon on our virtual hotline machines and the user that connects to it could logon on application start and we could track down who has done what and when.
In the current state this function is somewhat a security hole as ANY user credentials are accepted as long as the password is correct.
There is no check, if the user has rights on a RDM connection. Even Domain guests could start the app.
I know - security should be done on a lower level and we already have screen saver locks active.
But on our hotline machines is a central user auto logged in so everything is in the right place for the remote connections.
All Comments (6)
Hi,
What type of data source do you use? I think that you should choose another data source type to secure the access to the data. The application security is only to restrict the access to the application but it's much more secure to restrict the access to the data.
For example, you could create a SQL Server database and use the integrated security:
http://help.remotedesktopmanager.com/administration_usermanagement_integratedsecurity.htm
David Hervieux
Hi David,
we are using RDMS as data source with integrated security to connect to the data source.
But this is the problem:
I start my computer and log on. When not locking my desktop any user could start RDM, enters his credentials (as he wont know mine) and connects to the data source with MY user as my windows user is still logged on.
So the credential entering does only one thing: Keep non-domain-Users from connecting.
But over 60% of data-loss come from internal users...
And internal users are more likely to get to my unlocked desktop, of course.
Another thing I already mentioned above is with our hotline VMs:
There is a general user logged on in order to wont log out / log in every time one of my colleagues connects or disconnects from a VM.
If we can use RDM with the password-at-startup function and that credentials went to the logs on session start/close/whatever we would have a perfect audit trail with the corresponding users and not the general ones.
The general users have no rights to edit/create/delete sessions so connecting with the general user wont be a problem on this side.
and another time
thanks for the lightspeed response time ,-)
Hi,
Could you verify the logs because you have both username:
Database username which is the RDMS credentials
Username which is the current windows user
David Hervieux
Hi David,
in the logs it is the logged on username and the configured database user who is logged.
But I have unlocked RDM with other credentials.
So only running user and configured database user is logged.
The credentials for unlocking the application has no further effect as unlocking.
And this could even be a guest (just checked this).
Do you think we should force to unlock with the same user?
David Hervieux
Hi David,
i dont think so.
We would like to unlock rdm with any Domain User which is connected to our Hotline VM.
If Domain- User "Test123" unlock rdm, this and all other actions from "Test123" should be logged in the logs.
So we are able to check which user, connects on what time to a connection. --> audit
best regards
Benedict Poppe
edited by NGA on 9/26/2013