ClickOnce - Secure Alternative to ActiveX for Launching Local Application from IE? - security

Need to have ASP.NET page running on intranet launch a local windows application (VB6 exe). Originally planning to use an ActiveX control, however general security concerns with ActiveX controls (real and perceptual) have led us to consider a ClickOnce approach to the problem. The user would click on a link that would launch the ClickOnce application (the ClickOnce application would just be a .NET windows app to launch the VB6 app). Is this a better solution from a security perspective?

Is there a reason why you couldn't simply publish the application that you want to launch as a ClickOnce application?
When a ClickOnce application is published, it always checks the server for any updates and, if there are none, it launches the cached installation of the application. This is the same effect as the "launch" link on the default ClickOnce installation page that is generated when you publish the application. You could publish the application and then copy the URL from the launch link to your website for the same effect.
I wouldn't recommend your method above. I don't know your specific scenario but, obviously, your ClickOnce application that you mention above would not work if the VB6 application did not exist on the users computer or if it was located in a different installation location.
In response to your security concerns, I'm not an Active X expert but I wouldn't think launching an ActiveX component would be a problem if it's being used from within your intranet. In fact, I think the problem with ActiveX is when it's enabled, malicious websites can inject harmful ActiveX viruses. I'm not a security expert, so I could be wrong. I'd be surprised, however, that hosting an ActiveX service would be a security problem (assuming your code is legit ;)

Related

SiteMinder on IIS7.5 Authentication on app by app basis?

I inherited a mess of servers which host multiple applications on IIS6, protected by R6 SiteMinder. The environment is soon going to R12, and we have also received some new servers with IIS7.5. (Lots of change, all within the next 60days.)
I am not an expert, and so am having trouble with some of the more detailed steps of configuration. Thus far, on the new server I am able to create and apply SiteMinder to the DefaultWebSite (and everything contained within), and any custom Sites that I create. Unfortunately in our environment, it is already set up with a handful of applications that live underneath DefaultWebSite, only some of which we desire SiteMinder protection.
In IIS6 I was able to simply add a site to SiteMinder authentication by applying the ISAPI6WebAgent.dll in the wildcard mappings. In IIS7.5, this does not seem to work. I follow the specific details in the installation manual and it seems like it is either an all-or-nothing situation: everything under DefaultWebSite is protected, or nothing is.
This will cause a SIGNIFICANT amount of additional work in my environment (and it also means upgrading in place is not possible, so all applications that require SiteMinder authentication will need to be migrated in the next 60 days.) Is there ANY workaround for this? Google has not provided me with any solutions, and my SiteMinder team is claiming "it is no longer possible with IIS7.5" to keep the environment the way it is currently set up.
Any and all help appreciated.
For those that care, if you are running under an Integrated App Pool, you can simply add and remove the SiteMinder modules to control which sites are protected by SiteMinder. This DOES work on apps below a virtual directory - and using the config files you can both inherit protection by default, or have it unprotected and add it later by simply "Configure Native Module" and adding it back.

windows integrated security user.identity.isauthenticated returns false

I swapped my hard disk for an ssd, and am having fun recreating my environment.
Im runnin win7 pro, and my web app is returning false from user.identity.isauthentication (was working fine before I upgraded to the ssd).
I added windows integrated security as a security feature under the windows components (Im running local iis), and enabled it for the web site.
If I disable anonymous, user.identity.isauthenticated returns true with the correct credentials - BUT I am always prompted to enter my credentials.
AHAH - it must be ntfs permissions. But Ive added them for every account I can think of - NETWORK SERVICES, my own account, IUSR, authentication users, and several others that were already there. Makes no difference.
Maybe the app pool Im running under - but Ive tried DefaultAppPool, .NET 4.0, and .NET 4.0 Classic. Again, makes no difference.
Does anyone have any ideas on other things I can try? Im not on a domain or anything like that, this is entirely local. Thanks!
The solution was in the browser, in this case under ie9 Internet Options. After verifying in the Advanced tab that Enable Windows Integrated Authentication was checked, one must go to the Security tab, under Local Intranet/Sites and uncheck "automatically detect intranet network" and check "include all local intranet sites".
What's in your web.config?
<authentication mode="Windows"></authentication>

WebServiceHost inside VSTO addin

I'm about developing an application level VSTO addin that consists, among others, of a UI with an embedded Webbrowser control and a simple REST-style service, based upon WCF's WebServiceHost. The service delivers content, in particular flash movies, to the embedded browser. This used to work like a charm until yesterday. For some still unknown reason (maybe some .NET update that changed some internal processing), the complete Word application now freezes when the browser loads a flash movie from the embedded server. It still works when I move the webserver code into a separate process, and it also works when the flash movie is already in the browser cache, so I am quite sure that it is the combination of serving and displaying the flash movie both in the addin that is causing the problem.
I did some research (which I should have done earlier, maybe) and learned that multi-threading and VSTO addins do not go well together. And running a webservice surely implies some kind of multi-threading.
So my question is: is there any chance to make this kind of architecture run reliably? If so: what am I missing? Or should I better try another approach? If so: what would you recommend?
Note: Using "file://" urls and thus loading the content directly from the disk is not an option since I cannot guarantee a common docroot and need to put some logic between the UI and the content serving.
VSTO add-ins are STA, so you should consider researching WCF and STA (see related SO post).
You could always host the WCF service as a windows service to avoid the STA issues of the VSTO add-in host.

Seemingly no default printer for DLL invoked from WCF service user on IIS 7 and Windows Server 2008

I've got a WCF service that wraps some legacy DLLs that generate report PDFs. That legacy code works great in a desktop app, but when invoked via the WCF service, the PDF page size is driven by virtual screen size (the page size apsect ratio becomes 4:3) instead of an actual paper size.
I've exported the various registry keys for printers under my HKEY_CURRENT_USER and re-imported them under HKEY_USERS.DEFAULT, and I've made sure a local printer is available to "Everyone". Still the PDFs come out wrong.
The site is running in IIS 7 on Windows Server 2008. The site has its own 32-but AppPool, running as a specially created user. The site has Anonymous Authenticatione nabled and ASP.NET Impersonation disabled.
Oddly, if I make the AppPool run as myself, the report PDFs have a correct 8.5 x 11 in page size. But as soon as I make it the specially created used, the page size is 10.67 x 8.00 in (4:3 ratio, e.g. 1024x768).
What am I missing?
I'm not real familiar with WCF services, but if they're true Windows services then it's not surprising they don't see the default printer. They probably can't see network shares either. Simply running your service under a user account rather than the local system account should solve the problem.

Running Activex control and Maintaining security

In my a web application, I have a part to invoke an activex control .The Activex control is available in all the client PCs who are accessing my web application from web server. But When trying to run this ActiveX control from the browser in client machine (using Wshell), It was not getting invoked since "Run Activex Controls and Pluggins" are disabled in my browser. So I changed the browser settings to enable mode and Then the Activex control gave me the expected output. I afraid that this change in browser settings would allow any other website to harm my system. How could I get rid of this problem? Any thoughts? Thanks in advance
There had been a lotta secutiry changes introduced from Vista + IE7 onwards. Where in the IE starts in the procted mode, which helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user's machine or to install malicious code.
More details : http://msdn.microsoft.com/en-us/library/bb250462.aspx#wpm_aarwm
So developers have to modify the applications to confirm to the new standards like starting the process from the plugin - sending widows messages from LI(Low Intergirty) to HI process etc.
You can digitally sign your ActiveX so that users do not have to compromise the security of their browser too much in order to allow it to run. But, essentially, ActiveX isn't very secure and these problems always pop up when you choose ActiveX...

Resources