Secure ClickOnce files so that only my users can access it? - wpf

I am trying to deploy my WPF application to some users who are outside of our corporate network. Everything works great on our LAN but I can't get the updates working when I turn on security as the user is never prompted for their login details?
Does anyone know of a way to secure my ClickOnce files so that only my users can access it? I am not allowed to put this software up without it being secure.
Any help much appreciated.

There is no way to secure your files as the ClickOnce runtime will blindly return to it's deployment point and never keep hold of the users original credentials. I have heard of ways of getting round this using various techniques but its a fair bit of work.
This might be of use www.clickoncerevolution.com.
You could also always consider an MSI installer but you won't get the automatic updates.
Marty

Internally, you can restrict access to the files on the webserver. Externally, there's not much you can do easily.
We handle this by having our customers log in when they run the application, and we verify their credentials against backend services (running on Azure). So they can't run it unless they can log in.
If you don't want to do that, I'll share this article with you. It shows how to serve up your ClickOnce files from a SQL Server database by intercepting the requests to the webserver and responding. If you were smarter with web applications than I am (not a high bar, mind you), maybe you could figure out how to intercept and ask for authentication credentials at that point.
And here's an article from CodeProject where they show one solution for what you're trying to do.

Related

Deploy Silverlight With Local IIS - Advisable?

I'm in the process of reengineering a desktop application to a Silverlight4-WCF client-server architecture. Apparently, some (not all) of our clients have very limited resources or dysfunctional relationships with their I/T support staff. Consequently, I've been asked to come up with a solution that would enable these clients to install the new SL app on a local desktop, possibly running IIS locally. Will probably wrap all this up in a installer to make deployment super easy.
While I don't endorse the idea of running IIS locally on each user's desktop, my thinking is that it will probably work. The biggest problem I envision is security -- the server code and configuration would be available locally. Still, I'm looking for input from the wider developer community because I'm uncomfortable by the proposal. What kind of hell and difficulties do you envision, or can this work with minimal fuss?
Using IIS locally may be more trouble than it's worth. Most configuration/maintenance tasks require the user to have Administrator access on the computer. Securing it is a bitch. Making sure its configuration doesn't drift and remains working as you release new versions is even more so. Moreover, it's not included in all Windows editions, e.g. Windows 7 Home edition. I recommend trying to roll with IIS Express as an embedded HTTP server instead.
As for code security - if you can't trust your clients' IT to look after deployment and security, or they can't/don't want to, you could host the server-side yourself and bill your customers for it, i.e. SaaS.
Just my 2 cents.
EDIT:
Oh, yeah. If you're concerned about trade secret theft, e.g. reverse engineering of your server code, just run it through an obfuscator, e.g. SmartAssembly. That'll give you an edge. As for IP theft, e.g. piracy, use could use some online license checking scheme - it won't compromise client privacy, and it'll deter copying.

Update a local/client Microsoft Access Database from a server (MS SQL Server2005)

I've got a website that runs on a shared hosting environment, using ASP.net 2.0 (C#) and MS SQL Server 2005. I've recently been asked if I can integrate my website with a piece of third party desktop software that uses the Access runtime as its database (transparent to the end user).
Primarily I want to be able to offer users of my website the option of exporting their data into the Access database on their local machine. The data schema's match sufficiently, the question is how to actually do this, and in the simplest way possible for the user.
Simply having a webpage update the local Access database isn't possible due to the obvious security restrictions. I've considered asking them to upload the Access database to the server, so I can migrate the data then allow them to download it again, however the competency of the users of this software is such that even locating the Access database, let alone uploading and downloading it from the website might be too complicated.
I've also considered if Adobe Air or Silverlight could help here, but don't know them well enough to know for sure. Similarly I'm assuming another exe could be written to perform this task that the user could simply download and run, however my experience is in web development, not program development, so this isn't a 100% certainty for me, or an ideal development option for me.
So, can this be done, and if so what technique can achieve this, with the stated aims being ease of use for the end user, followed by ease of development by someone with web development as their main skill. Many thanks!
You may find this answer of interest: Best way to stream files in ASP.NET
It is about transferring a file from the server. You could save Excel or CSV and use that to update Access.
Instead of trying to do this in a web page you might just expose some views from your sql server to some client specific logins.
Then within the Access application, allow them to tie to your sql server. You might even provide an access application for getting the data from your site and stuffing it in their local access database.
In my work we have done something similar that is transparent to the user by creating an ActiveX control. The problem is that you are limiting the users to use only Internet Explorer.
I think that the best way to achieve what you are trying to do is by installing a service in the client's computer. If creating a service is beyond your experience you can post a project in a place like oDesk and find somebody that can help you with the development for the money that you are willing to pay to complete your project.
Good Luck.

how to deploy an application automatically

In the office here we have a startup script that runs on the server which will update via copy/paste the software in house if there's a newer version on the server or not. This was simple, easy and fast to implement.
There is now a problem, many of our users are off-site and they use laptops/tables which don't connect to the domain to run the startup scripts - which means that these have to be manually deployed. This was fine for the one user that I've had for a good while. Now that I've got 10 - it's a no go. I've got to figure out a better solution.
Without developing something homegrown, are there any solutions out there that make auto-deploying/updating easier?
Note: This is a winforms app.
Is ClickOnce an option?
There's a lot to read at the link I am pointing you to, but it's really pretty simple. You would have to publish the app to a live web server, though. Something that can be accessed from off the domain. That could pose some security concerns. It's one avenue to explore, though.

What issues can a client have running Silverlight?

My company recently deployed our first Silverlight app, and, as expected, we've had a couple of small issues with getting it to run on some clients' machines. Mostly it was javascript that was disabled or using a non-supported browser, but I was wondering if there was a resource that lists the common issues that users run up against so that we can post in our FAQs section and hopefully decrease the volume of calls we recieve about it.
Thanks.
The user might not have Silverlight installed.
If the user doesn't have administrator permissions he or she cannot install it. -- FAIL!
The majority of users in corporate and government environments don't have administrator accounts.... to make sure they don't install stuff like silverlight. :-)

How do I verify the host server's certificate in Silverlight?

I am concerned with MITM attacks in the Silverlight application I am writing. The site will be running over SSL. If my site is the victim of a MITM attack, as far as I know, my only defense right now is the warning page the browser displays when the site's certificate is untrusted. Since it is only a browser, the best it can do is simply warn the user and then let them through anyway. User's can be click happy, and tend to not read things. Therefore, chances are they will read this warning, scratch their head, and continue on to the site. My thought was that since I am writing a robust Silverlight application, I should be able to either detect if the browser is seeing a certificate error, or perform that same verification that the browser performs. Then if I determine that there is a problem, I can simply lock down my entire app so that the user does not expose any critical information to the MITM. The problem that I am having is that I can't seem to find the right classes in Silverlight's limited subset of .NET to do what I need to do. Does anyone know how I can accomplish this goal, or a different way around this issue?
This isn't possible as far as I know - Silverlight uses the browser's networking stack, and as a result relies on its networking warnings and security infrastructure.
Silverlight 3 added a new networking stack, but I believe that in general the same applies: your host server's certificate is validated when the .xap (Silverlight application) is downloaded by the browser, and not something you can check or interact with in code.
IMHO You may check the certificate that is stored locally since browser will save a copy of it after SSL request.
Check out this article. I hope it will give you some hints

Resources