Users spoofing domain name

Question

We currently have a winforms app that allows users to log in in order to access the system. The authentication system is a custom made kludge. I'm working on a implementing a change that links users NT username and domainname to their existing custom account so that they don't need to repeatedly log in. I'm using WindowsIdentity.GetCurrent().Name then storing that information in a database table that maps to their old accountid. What I'm wondering is if it would be possible for a user to vpn into the network with a computer name that mirrors the real domain name? This could potentially give a rogue user access to someone elses account. I guess the real question is: is there a way to differentiate between the sql servers domain and a users domain without just doing a string compare on the names.

Answer 1

THE SERVER MUST NOT TRUST THE CLIENT.

If the client can get and use credentials to log in to the database server you're toast.

If your server is only a database server and your application does not use trusted connections and your application does not prompt for db credentials you're toast. (See previous statement.)

I'm lazy. I'll patch WindowsIdentity.GetCurrent().Name to return "Administrator" if I feel like it.

Answer 2

Yes it would if your app was using SQL Authentication to access the database. If you change the Database connection to use trusted authentication then the SQL Server will authenticate the login against the domain controller. So despite the user having access to the application they wouldn't be able to access the database driving the applicaiton. If you did this you could also move the capturing of the user name to a SQL Server stored procedure which would ensure that the name captured matched that of the Domain rather than the local users.