In a windows WPF desktop app I am using System.Environment.UserName in this way:
var q = from l in db.Logins where
l.WinLogin.Trim().Equals(System.Environment.UserName, StringComparison.InvariantCultureIgnoreCase)
&& l.WinDomain.Trim().Equals(System.Environment.UserDomainName, StringComparison.InvariantCultureIgnoreCase)
select l.LoginID;
var login = q.FirstOrDefault();
if (login == null)
/*Access rejected*/
else
/*Access granted*/
I am wondering if the content of the System.Environment.UserName & System.Environment.UserDomainName can be easiliy faked (set to someone's else account) within windows domain or not by a non administrator user.
I hope that this authentication is OK for a normal windows app that does not require top security, just want to make sure I did not overlook something obvious.
For instance if I create home workgroup with the same name as the windows domain has and then create a user within that workgroup and then connect using VPN to that windows domain and install the app on the home workgroup computer, will I fake theese variables and get the access or not?
No, the System.Environment variables are for that machine only. The username and domain name can't be faked. The call is eventually handled by ADVAPI32, which is the Windows component in charge of internal Windows stuff.
You can't fake it using VPN or other methods either. That doesn't mean they can't get between the app and the database you are connecting to. Make sure to secure that too.