Securing a NTD app

3 Comments

• To echo and amplify David's comments, given your authentication constraints, here are some additional thoughts...
  
  
  
  As David said, your first line of defense is to restrict access to downloading the files through normal ASP.NET mechanisms. Since Windows auth is out for you, Forms Auth is the logical next choice. Through proper management of your users and groups and file associations in IIS and web.config, you can ensure than no one can get the app on their machine unless they are authorized **at some point**.
  
  
  
  I have not tried the scenario of locking down the server after an NTD app has been deployed, but it is a requirement that the NTD app be able to check the server for updates in order to run, so I think an NTD app would refuse to run if a user has been denied access to the original deployment location after they have it on their desktop.
  
  
  
  However, an NTD app just gets cached in the web temp folder like any internet file, so a savvy user could go retrieve the executable from that folder, place it somewhere else on their system, and execute it as a local app and there is no way to stop that.
  
  
  
  The only line of defense left at that point would be to make sure that whatever protocols that app uses to talk to back end systems are secured themselves. So if the NTD app uses Web Services to get at data or functionality exposed by the back end, then those web service calls will need to use WS-Security through WSE or some similar mechanism to make sure that every call is authorized based on the user's identity.
  

• Our back end DAL is a .net assembly (.net client to .net service). Our app is launched with an exe, not through the web browser. My thoughts are to authenticate the user from the launcher.exe with a 'login' web service or remote service. Then, if authenticated, let them download the assemblies.
  
  
  
  Now, as far as how to secure the access to the DAL service running on the web service, I am not sure at this point.
  

• Passiotech.com is a mobile vehicle app designed to get QUICK, ACCURATE, & most especially, helps in knowing, technology, parking management, passenger counting, or the bus system. The system supplies amply machine-driven data collection and describing features plus One Touch Passenger Counting.