web site protection

[deshmukh.mateen]

We're planning on a porting project from client-server to
browser-based. The client-server application has a
critical built-in security mechanism we'd like to bring
over to a web browser. It reads from a set of control
files on the hard-drive to make sure it is being run from
an "approved" computer. Can something equivalent to this
be done in a browser-based application? The usual USER
NAME/PASSWORD is not good enough for us. In other words,
does any one know how you can "tie" a web site to a
particular computer?


I'm wondering if there's a way I can setup/configure the
browser on my users' computer so the user can only access
my app from that particular PC. All my users are in the
same city and there're only a handful of them so we can
visit them all if we have to. After I set the user up, I
want the user to "magically" get to my site when on that
approved computer, and "magically" fail to from any other
non-approved computer (because it not have my hidden
stuff). I know there're certain limitations as to what a
browser can do. What kind of system information is
available to a web-browser and what directories on a
computer the browser has access to, in addition to the
cache directories?


Thanks in advance.

 

[George Ter-Saakov]

Your message is a bit contradicting and not clear what you want....

So here are some questions and my thoughts.

Not clear what you want to lock down (pick correct option).
a) The server side... so client only can install your application on one
server and not be able to distribute it somewhere else and install it on
another server....
b) Or may be you want clients to be able to only access your application
from particular machine

In case (b) I do not understand why. What is the point of rewriting
application as a Browser based application. The only benefit is that users
can access your application from any computer...
But you can still achieve it, although not 100% proof, with custom
certificate installed in browser. Then lock your application and make it
available only with specific client certificate....

In case (a) You need to check the host. Request.ServerVariables["HTTP_HOST"]
and if it's not predefined one then kick user back.


George

 

[Mark Rae [MVP]]

an "approved" computer. Can something equivalent to this
be done in a browser-based application?

In addition to George's reply, you might find this helpful:
http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html

 

[George Ter-Saakov]

Yep, that article describes exactly what I meant.
Could not come up with the url myself. Only knew that is possible.

George.