Uniqueness and Security of domain name

[Arash 0]

Hi,

 

The question might seem too obvious but I am not familiar with the topic. I am writing a DLL to be shared with internal users in my company as well as customers. I want to enable certain features in the DLL only for internal users. Since all company PCs are connected to our domain, an easy way to recognize them is to check for the DNS domain name, using "GetComputerNameEx". However, I was wondering how secure is this? Can someone else simply manipulate their PC to show the same domain name?

 

Edit: In my case, it is enough to limit the access only to those who have access to our intranet. So any other suggestion that might be more secure and doesn't require special permissions or elevation is welcome.

 

Regards,

Arash

Edited February 4, 2021 by Arash

[Anders Melander 1782]

3 hours ago, Arash said:

However, I was wondering how secure is this?

It's not secure at all.

Nothing prevents someone from setting up a local PC, or even a VM, with the same config as one on your domain.

[Fr0sT.Brutal 900]

The most secure code is non-existing code

[David Heffernan 2345]

The question really is how much security you need. What would be the consequence of somebody outside your organisation getting access to this functionality?

[Arash 0]

1 hour ago, Anders Melander said:

It's not secure at all.

Nothing prevents someone from setting up a local PC, or even a VM, with the same config as one on your domain.

Thanks for the reply. Two questions:
1- Do you have any suggestion that I can use without going through licensing hassles?
2-When I tried to set the domain of my personal PC to our company domain, I got the following error. Is this easy to bypass?
 "An Active Directory Domain Controller (AD DC) for the domain xxx could not be contacted. Ensure that the domain name is typed correctly"

[Arash 0]

32 minutes ago, David Heffernan said:

The question really is how much security you need. What would be the consequence of somebody outside your organisation getting access to this functionality?

Thanks for the answer. It's not an easy question to answer. It includes some sensitive information from the products. However, I'm not trying to hide info from professional hackers and it would be enough to prevent those who don't have access to our intranet.

Edited February 4, 2021 by Arash

[Alexander Elagin 143]

I do not know how secure it is, but function NetWkstaGetInfo can provide some information about the domain. There is also some code on the StackOverflow .

[Anders Melander 1782]

1 hour ago, Arash said:

Do you have any suggestion that I can use without going through licensing hassles?

As Davis said it really depends on the level of security you need.

Since the users will presumably have unlimited access to the client binaries the best you can hope for is security through obscurity. Once you accept that your choice depends on the value (to the user) of the assets you are trying to protect. You just need to make circumventing your protection sufficiently costly (in time) for the user that they won't bother. Since I don't know any of those metrics I can't really recommend a solution.

 

1 hour ago, Arash said:

When I tried to set the domain of my personal PC to our company domain, I got the following error. Is this easy to bypass?

Yes. Everyone can setup a domain controller and name is anything they want.

[David Heffernan 2345]

3 hours ago, Arash said:

However, I'm not trying to hide info from professional hackers and it would be enough to prevent those who don't have access to our intranet.

Put the code that you don't want clients to have access to in a separate module/library/web service/etc. that is only available on your intranet.

[FPiette 383]

3 hours ago, Arash said:

it would be enough to prevent those who don't have access to our intranet.

You could check for a resource that is only accessible from within the intranet.

You could also connect to a share only accessible in your intranet, using a user/code password correctly hidden in the DLL.

Of course this would not stop a real hacker, but the casual user will be barred.

[Remy Lebeau 1394]

7 hours ago, Arash said:

I am writing a DLL to be shared with internal users in my company as well as customers. I want to enable certain features in the DLL only for internal users.

What about requiring internal users to sign their EXEs with a company-issued certificate, and then having the DLL validate that when loaded?

 

[Arash 0]

Thanks for the last few answers. The company is using Azure Identification for basic access to intranet as well as different access levels. So I would either put the code on intranet and hook to it, or try to find a way to check Azure authentication from within the DLL.

Edited February 4, 2021 by Arash

[Darian Miller 361]

9 hours ago, Arash said:

Hi,

 

The question might seem too obvious but I am not familiar with the topic. I am writing a DLL to be shared with internal users in my company as well as customers. I want to enable certain features in the DLL only for internal users. Since all company PCs are connected to our domain, an easy way to recognize them is to check for the DNS domain name, using "GetComputerNameEx". However, I was wondering how secure is this? Can someone else simply manipulate their PC to show the same domain name?

 

Edit: In my case, it is enough to limit the access only to those who have access to our intranet. So any other suggestion that might be more secure and doesn't require special permissions or elevation is welcome.

 

Regards,

Arash

 

You don't want to validate a name.  You want to validate a logon session against your domain controllers.  

 

You could also split the secure features in the DLL into a different DLL and put that secure DLL into a place on the network that only authenticated users have access to.  (That doesn't help if someone makes a copy of the DLL and exposes it later.)

 

Finally, consider adding the secure DLL code to a web service and authenticate the calls made to the service,

 

[David Schwartz 426]

Where I work, we have a double-firewall and use a VPN and require regular logins. All of the software on every computer has been scanned and stuff that looks suspicious is flagged and removed. 

 

We have a bunch of automation equipment that uses a process on an internal server to issue connection tokens that are used to talk with other services. It's a pretty hairy mess ... and we STILL get intruders from time to time! I have no idea how because this system seems far more effective at keeping internal users out than unauthorized users. Something shut down last night and nobody could get anything done until late this morning after enough people started raising a ruckas that IT finally resorted to restarting things until the problem went away. 

 

If you're looking for a simple "set-it-and-forget-it" approach to this, forgetaboutit.

 

That said, if you have an intranet then you have a firewall and you're probably operating on a local subnet, like 10.0.x.x. So put the code somewhere on that subnet and set up something in your hosts file that lets people reach it. Nobody will be able to get it from outside the firewall. That doesn't mean they can't get access to it without some cunning, but in general it won't be easy to get.

[Attila Kovacs 629]

As François suggested, set up a resource in the domain which you check against, then you can manage the permissions from the background.

And for your customers, -as many of us suggested-, create a separate dll.

If you are concerned about leaking the internal dll to the customers, load the data in the internal dll from the internal resource.

[Vincent Parrett 750]

The simplest option here is to produce 2 versions for the dll, one for internal users, one for external.  

 

Any fancy trickery might stop casual users from getting access to the internal functionality, but it won't stop anyone who has the skills to dig in and figure out what is needed to expose it.