I have done business with a Health Agency for about 15 years who uses my Vehicle Fleet Management application. About 3 years ago I was informed my old ( original ) dbf\cdx application was a security risk. Ok, I can understand that .. the application was on a network share and anyone with Excel could open any .dbf.
I took out a small contract to migrate the dbf\cdx to their on campus secure Sql Server using ADO .. and that seemed to satisfy the Network admin and the IT folks for a few years up until last week.
Since this is a large Agency they use Microsoft networking with Active Directory, As a VERY nice enhancement to the application, I incorporated some LDAP code to open a connection to Active Directory .. query AD for ( only ) First name, Last Name, and Userid to populate xBrowse as a look up table to add employees to a Drivers table.
I informed the Sql DBA that I needed two new fields added and I would be using those new fields to incorporate the new LDAP enhancement and this was his responce:
My response to the Network Admin was "bring it on" ... unfortunately, the Fleet Manager did not want to stir up the pot and his manager probably would not pay for the testing and the fleet manager asked me to not push the issue.
I informed the Network admin that I would take the ldap code out .. which I have done. The Network admin is still on the hook to add a new field unrelated to this issue . and has been un-responsive to this date.
I did call the network admin and he also mentioned that they may add a 'penetration' test to the review of my software as well.
My software sits inside an MPLS Firewalled network .. has no access to the outside world .. I am connecting to sql Server via ADO using the Sql Server DNS name and the secure Sql userid and password.
I also use Aspack to compress my executable and when the .exe is viewed under a hex editor .. there is absolutely nothing readable ANYWHERE in the hex .. usually if you look at an un-compressed .exe with a hex editor .. you can see code extracts embeded in various parts of the Hex... however Aspack totally removes any readable text:
Here is a snipit of the LDAP code which I shared with the network admin :
- Code: Select all Expand view RUN
Domain := "LDAP://"+alltrim(cDomain)
cConnect := "Active Directory Provider"
oCn := CREATEOBJECT( "ADODB.Connection" )
oCn:Provider := 'ADsDSOObject'
TRY
oCn:Open( cConnect )
CATCH oErr
Saying := "Could not open a Global Connection to Domain "+cDomain
MsgInfo( Saying )
RETURN(.F.)
END TRY
*msginfo( "Connection Established" )
oRs := TOleAuto():new("ADODB.Command")
oRs:ActiveConnection := oCn
// add middlename
cSQL := "SELECT "
cSql += " telephoneNumber,"
cSql += " displayName," // fullname
cSql += " sAMAccountname," // userid
cSql += " sn," // last name sn
cSql += " givenname" // first name
cSql += ""
cSql += " FROM '"+cDomain+"'"
cSql += " WHERE objectCategory = 'person' AND"
cSql += " objectClass = 'user' "
DO Case
Case cAdFind = "Bogus"
// do nothing .. full table scan
OtherWise
cSql += " and displayname = '*"+alltrim(cAdFind)+"*' "
End DO
cSql += " ORDER BY displayName"
oRs:CommandText := cSql //cString + cWhere
oProp := oRs:Properties( 'SearchScope' )
oProp:value := ADS_SCOPE_SUBTREE
oProp := oRs:Properties( 'Page size' )
oProp:value := 2000
Try
oRsAd := oRs:Execute()
Catch oErr
Msginfo( "LDAP Query Execution Error")
oCN:CLose()
Return(.f.)
End Try
aData := {}
aHead := {}
// generate xBrowse headings
nFields := oRsAd:Fields:Count()
For nI := 0 TO nFields - 1
Aadd( aHead, oRsAd:Fields(nI):name )
Next
nLen := oRsAd:RecordCount()
IF nLen > 0
oRsAd:MoveFirst()
Do WHILE .not. oRsAd:Eof()
aReg := {}
For nI := 1 TO Len(aHead)
Aadd( aReg, oRsAd:Fields( aHead[nI] ):value )
NEXT
If empty( aReg[1]) .or. aReg[1] = " "
Else
Aadd( aData, aReg )
ENdif
oRsAd:MoveNext()
Enddo
Else
Msginfo( "No LDAP Data found" )
oRsAd:CLose()
oCN:CLose()
Return(.f.)
Endif
LightGreyGrad()
If cMode = "R"
Else
oButt1:Disable()
oButt2:Disable()
Endif
lOk3 := .f.
DEFINE DIALOG oDlg RESOURCE "USERSLCT" ;
TITLE "User LDAP Look Up Table" ;
REDEFINE xBROWSE oLBX ;
ARRAY aData ;
HEADERS "FirstName", ;
"LastName", ;
"UserId", ;
"FullName", ;
"Phone" ;
COLSIZES 97,97,97,150 ;
ID 111 of oDlg ;
AUTOSORT AUTOCOLS LINES CELL
oLbx:lHScroll := .f. // turn off horiz scroll bar
oLbx:lRecordSelector := .f.
oLbx:nMarqueeStyle := MARQSTYLE_HIGHLROW
oLbx:bLDblClick := { |nRow,nCol | (lOk3 := .t.,oDlg:End()) }
_BrowColor(oLbx)
REDEFINE BTNBMP oBtn1 ID 113 of oDlg ;
RESOURCE "OK", "DOK", "DOK" ;
PROMPT "&Ok" LEFT 2007;
ACTION (lok3 := .t., oDlg:End() )
REDEFINE BTNBMP oBtn2 ID 112 OF oDlg ;
RESOURCE "CANCEL", "DCANCEL", "DCANCEL" ;
PROMPT "&Cancel" LEFT 2007;
ACTION ( lOk3 := .f.,oDlg:End())
ACTIVATE DIALOG oDlg;
ON INIT ( oDlg:Move(100,400)) ; //, oLbx:SetFocus() );
VALID(!GETKEYSTATE( 27 ))
I have no idea how much more I can secure an application .. again, this is running within the clients MPLS network .. The application does not reach out to the internet .. so what is their to penetrate .. I am making a DNS connection to their secure Sql Server .. the ldap code opens a connection .. I query the elements I want .. send it to xBrowse .. and close the connection ??
I have no idea what a security review would find ? .. seems pretty locked down to me.
Rick Lipkin