Thread: COM Security?

hi all... i am beginning the design phase of creating a component that will be shipped to clients for my company... the component will contain functions that interact with a data server... my question is a bit general, what are the security concerns when using a component to do these things (query a dataserver)?... we don't want our clients to even know the address of the server, much less it's design and contents, but i know that anyone could easily view a dll in notepad and decipher some of the information, such as an ip address, etc., or is there a way to prevent this?...

thanks in advance!

we don't want our clients to even know the address of the server, much less it's design and contents...

Well, using this then you application is limit to only certain server. You may need to use another server in the future (ie. in case your original server is down).

To implement security in component you need to use Microsoft Transaction Type Library (mtxas.dll). This allow you to check the user name, password, role... So even if you know the user name, password then you need to know roles as well before you can hack into the component.

Regards,
TheBao

thanks, TheBao... but, unfortunately, i've ran into some crazy wall that i have to get over first... think you could take a look?... thanks!

http://161.58.186.97/showthread.php?s=&threadid=80993

"a component that will be shipped to clients for my company"
"we don't want our clients to even know the address of the server"


idover if you ship a component to a customer and connect to a datastore with a network sniffer you will always be able to detect to wich server that specific component is connecting.
So what you're saying is impossible.

En general the O.S. provides a more secure architecture then someone can build on its own, so try to integrate as much as possible.
(For example, run your COM+ App under a specific identity and map these account to for example SQL Server or another datastore)


Gijs

one idea that i have is to force our clients to provide the ip addresses of servers that will have the component installed... in the same dataserver that they're querying, this info will be stored... and like you said, i plan to put as much of my code as is possible in this component... and one of the functions in the code will look into this table of ip addresses and clients and make sure that it can allow itself to continue... i figure this could be done pretty easily...

we're also in a situation where as client base grows, we will have to look for an outside provider for a sql server, and the difference between income and expenses wouldn't allow for a dedicated server... which becomes a security issue in its own right... and i'm pretty sure that shared servers allow only one sql account... but i could be wrong...

thanks!

gijsj, thanks for the info... will these sniffers disclose other information as well?... such as the user id and/or password?... i think that my solution that i mentioned earlier will work... as long as the client doesn't somehow retrieve the userid and password from the library file... any more suggestions?...

If it discloses other information as well all depends on the protocol and authentication type you use. You should try to integrate your App as much as possible with the security framework the O.S. provides. And never send user credentials in clear text over the wire.

You're right !
Only concatentating numeric digits to create an IP address doesn't make sense. That's something you want to incorporate in your general architecture and infrastructure design, not in coding !