但他们黑客呢？ [英] But what about them hackers?

问题描述

大家好，


我们有一个管理应用程序，我们正在考虑使用vb2005重写

aspx。我认为营销的可能性非常大。


在我们的标准应用中，用户通过输入他/她的用户名和

密码登录。在线版本将是客户ID /用户ID /

密码。到现在为止还挺好。但我只是想知道......这有多安全？我猜b $ b不是很好。每个心怀不满的员工都可以在家上网输入他们的

名称和密码并做任何他们喜欢的事情。


现在对于拥有固定IP地址的客户我可以检查IP地址作为认证的一部分

。但是如果我的客户有动态IP地址怎么办？


我很想听听你对此事的想法，


谢谢，

Martin

Hi all,

We have an administrative application that we are considering to rewrite in
aspx with vb2005. I think the marketing possibilities are enourmous.

In our standard app, the user logs in by entering his/her user name and
password. In the online version that would be Client ID / user ID /
Password. So far so good. But I''m just wondering... how secure is this? I
guess not very. Every disgruntled employee can go online at home enter their
name and password and do whatever they like.

Now for clients with a fixed IP address I can check the IP-address as a part
of the authentication. But what if my client has a dynamic IP-address?

I would love to hear your thoughts on this matter,

Thanks,
Martin

推荐答案

用户名和密码与表单身份验证或窗口相结合

身份验证应该是足够安全


如果您使用表单身份验证并使用数据库作为存储使用参数化

查询或SP以防止SQL注入

关于滥用他的账户的员工，应该很清楚，任何有房子钥匙的人都可以偷走里面的所有物品，但是/>
如果你到达你的家，一切都没有了，没有任何痕迹

入室盗窃

它肯定会限制嫌疑人的数量。


问候


michel


" Martin"写道：

Username and password in combination with forms authentication or windows
authentication should be secure enough

if you use forms Authentication and use a DB as storage use parameterized
query`s or SP`s to protecet against SQL injection

About the employe that abuses his account ,,, it should be clear that anyone
who has the keys to your house can steall everything what is inside , however
if you arrive at your home and everything is gone without anny traces of
burglary
it would sure limit the amount of suspects .

regards

michel


"Martin" wrote:

大家好，

我们有一个管理应用程序，我们正在考虑用vb2005重写
aspx。我认为营销的可能性非常大。

在我们的标准应用中，用户通过输入他/她的用户名和密码登录。在线版本中将是客户ID /用户ID /
密码。到现在为止还挺好。但我只是想知道......这有多安全？我猜不是很好。每个心怀不满的员工都可以在家上网输入他们的姓名和密码并做他们喜欢的任何事情。

现在对于拥有固定IP地址的客户，我可以将IP地址作为一部分进行检查<认证的。但是，如果我的客户有一个动态IP地址怎么办？

我很想听听你对此事的看法，

谢谢，
Martin

Hi all,

We have an administrative application that we are considering to rewrite in
aspx with vb2005. I think the marketing possibilities are enourmous.

In our standard app, the user logs in by entering his/her user name and
password. In the online version that would be Client ID / user ID /
Password. So far so good. But I''m just wondering... how secure is this? I
guess not very. Every disgruntled employee can go online at home enter their
name and password and do whatever they like.

Now for clients with a fixed IP address I can check the IP-address as a part
of the authentication. But what if my client has a dynamic IP-address?

I would love to hear your thoughts on this matter,

Thanks,
Martin

2006年5月22日星期一15:39:13 +0800，

microsoft.public.dotnet.languages。 vb马丁 < x@y.com>

< OM ************* @ TK2MSFTNGP03.phx.gbl>写道：

On Mon, 22 May 2006 15:39:13 +0800, in
microsoft.public.dotnet.languages.vb "Martin" <x@y.com>
<OM*************@TK2MSFTNGP03.phx.gbl> wrote:

|大家好，
|
|我们正在考虑在
中重写一个管理应用程序aspx与vb2005。我认为营销的可能性非常大。
|
|在我们的标准应用程序中，用户通过输入他/她的用户名和
来登录密码。在线版本将是客户ID /用户ID /
|密码。到现在为止还挺好。但我只是想知道......这有多安全？我
|猜不是很好。每个心怀不满的员工都可以在家上网进入他们的
|名称和密码，做任何他们喜欢的事情。
|
|现在对于具有固定IP地址的客户，我可以将IP地址作为一部分来检查
|的身份验证。但是，如果我的客户有动态IP地址怎么办？
|
|我很想听听你对此事的看法，

| Hi all,
|
| We have an administrative application that we are considering to rewrite in
| aspx with vb2005. I think the marketing possibilities are enourmous.
|
| In our standard app, the user logs in by entering his/her user name and
| password. In the online version that would be Client ID / user ID /
| Password. So far so good. But I''m just wondering... how secure is this? I
| guess not very. Every disgruntled employee can go online at home enter their
| name and password and do whatever they like.
|
| Now for clients with a fixed IP address I can check the IP-address as a part
| of the authentication. But what if my client has a dynamic IP-address?
|
| I would love to hear your thoughts on this matter,

你可能想重新思考一下这个过程。

我会想的 - 我想在系统上允许谁以及我将给予他们什么

权利。我确定知道哪些信息和

可以控制？


您知道并且可以控制的唯一IP地址是

工作场所。因此，从工作场所登录的人员将获得

完全访问权限。


从外部登录的任何人（任何其他IP地址）只会是

给出只读/最小更新权限。


您可以查看

web.config文件中使用的身份验证和角色。


（我自己对ASP.NET非常陌生）

---------------- -----------------------------------------------
jn******@yourpantsyahoo.com.au ：脱掉裤子回复

---------------------------------------------- -----------------

You might want to re-think this process.
I would be thinking - who do I want to allow on the system and what
rights would I give them. What information do I know for certain and
can control?

The only IP addresses that you know, and can control, are the
workplace ones. Thus, people who login from the workplace are given
full access.

Anyone logging in from outside (any other IP address) would only be
given readonly/minimal update priveleges.

You can have a look at Authentication and Roles as used in the
web.config file.

(I''m very much new to ASP.NET myself)
---------------------------------------------------------------
jn******@yourpantsyahoo.com.au : Remove your pants to reply
---------------------------------------------------------------

Hi Michel，


谢谢你答复。你有一个好点。此外，我们将记录所有

使用情况，包括用于审计和计费目的的IP地址，因此，如果它是一个

内部工作，我们知道罪魁祸首。


让我担心的是局外人（黑客）。我知道你可以

在数据库中扰乱密码，但仍然......你听说有人闯入CIA系统，我打赌这些人都知道更多关于

安全性比我更多。


系统将存储患者的敏感医疗和个人信息

well作为医院的财务数据。


我听说SP是一种保护数据库的好方法，但坦率地说我不知道​​
了解如何。任何有权访问数据库的人都可以调用存储过程吗？数据库仍然会对常规查询开放，

或者我看错了吗？


" M. Posseth" < MP @ ******&discussions.microsoft.com GT; schrieb im Newsbeitrag

新闻：0A ********************************** @ microsof t.com ...

Hi Michel,

Thanks for your reply. You got a good point there. Besides we will log all
usage including IP address for audit and billing purposes, so if it is an
"inside job" we''d know the culprit.

The thing that worries me somewhat is outsiders (hackers). I know you can
scramble the password in the database, but still.... You hear of people
breaking in into the CIA system, and I bet those guys know a lot more about
security than I do.

The system will store sensitive medical and personal info of patients as
well as financial data of hospitals.

I hear SP''s are a good way of protecting a database, but frankly I don''t
understand how. A stored procedure can be called by anyone with access to
the database right? And the database will still be open to regular queries,
or am I seeing that wrong?

"M. Posseth" <MP******@discussions.microsoft.com> schrieb im Newsbeitrag
news:0A**********************************@microsof t.com...

用户名和密码与表单身份验证或windows
身份验证应该足够安全

如果您使用表单身份验证并使用数据库作为存储使用参数化查询或SP以防止SQL注入

关于滥用他的帐户的员工,,,应该清楚
任何人然而如果你到了你的家，一切都没有了，没有任何痕迹的入室盗窃
它会肯定会限制犯罪嫌疑人的数量。

michel


马丁写道：

Username and password in combination with forms authentication or windows
authentication should be secure enough

if you use forms Authentication and use a DB as storage use parameterized
query`s or SP`s to protecet against SQL injection

About the employe that abuses his account ,,, it should be clear that
anyone
who has the keys to your house can steall everything what is inside ,
however
if you arrive at your home and everything is gone without anny traces of
burglary
it would sure limit the amount of suspects .

regards

michel


"Martin" wrote:

大家好，

我们有一个管理应用程序，我们正在考虑使用vb2005在
aspx中重写
。我认为营销的可能性非常大。

在我们的标准应用中，用户通过输入他/她的用户名和密码登录。在线版本中将是客户ID /用户ID /
密码。到现在为止还挺好。但我只是想知道......这有多安全？我猜不是很好。每个心怀不满的员工都可以在家里上网输入他们的名字和密码并做他们喜欢的事情。

现在对于拥有固定IP地址的客户，我可以查看IP地址作为身份验证的一部分。但是，如果我的客户有一个动态IP地址怎么办？

我很想听听你对此事的看法，

谢谢，
Martin

Hi all,

We have an administrative application that we are considering to rewrite
in
aspx with vb2005. I think the marketing possibilities are enourmous.

In our standard app, the user logs in by entering his/her user name and
password. In the online version that would be Client ID / user ID /
Password. So far so good. But I''m just wondering... how secure is this? I
guess not very. Every disgruntled employee can go online at home enter
their
name and password and do whatever they like.

Now for clients with a fixed IP address I can check the IP-address as a
part
of the authentication. But what if my client has a dynamic IP-address?

I would love to hear your thoughts on this matter,

Thanks,
Martin

这篇关于但他们黑客呢？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！