RDP没有向最终用户泄露密码 [英] RDP without revealing password to the end user

问题描述

我想开发一个应用程序（Web或桌面），最终用户可以连接到Windows服务器（rdp或任何其他），但我们不想向最终用户透露密码。密码也应该与黑客保持安全。密码在我们的数据库中，可以通过wcf或Web服务访问（加密）。我更喜欢.net解决方案

I want to develop a application(web or desktop) where end user can connect to a windows server(rdp or any other) but we don't want to reveal the password to the end user. Also password should be kept secure from hackers. Password is in our database which can be accessed(encrypted) via wcf or web service. I prefer a .net solution

推荐答案

我不相信这样的事情是可能的，原因如下：如果可能的话，它将极大地损害操作系统的安全性。这个想法是：代码中有一个单点，用户通过身份验证;当Windows已经被引导/加载时，没有解决方法。如果您将密码存储在不同系统的某个地方（没有任何东西可以阻止您做这种不安全的事情），那将是您的责任，而不是操作系统作者的责任。



但是如果您同意让某人有机会仅使用密码进行身份验证，然后将其存储在某个地方，那么您可以采用或多或少的安全方式进行身份验证。 （除非你想创建一个永不改变密码的固定帐户并使用这样的设置部署远程系统，这可能但是看起来不够灵活;如果客户需要更换该系统怎么办？）但是你永远不应该存储密码本身，因为如果您的应用程序可以访问它，一些用户也可以通过一些相当大的努力来实现它。这不是真的需要。正确的方法是使用加密哈希函数，仅存储哈希并使用哈希。也许，如果您创建自己的RDP客户端实现，这是可能的。坦率地说，我不确定，因为此时此刻，我不知道通过RDP进行身份验证的细节。你可以从非常好的CodeProject文章中学习：

使用C＃.NET的远程桌面 [ ^ ]，

Palantir - 远程桌面管理器 [ ^ ]。



在更糟糕的情况下例如，您需要设计和实现自己的RDP模拟，这也需要您创建服务部分（请参阅以下链接之一，注释关于类似于RDP的自定义协议）。 br />


要使用加密哈希函数探索身份验证机制，请参阅： http ：//en.wikipedia.org/wiki/Cryptographic_hash_function [ ^ ]。



另见我过去的答案：

我已经加密了我的密码但是当我登录它给我一个错误。如何解密 [ ^ ] ，

使用用户名和密码进行TCP连接 [ ^ ]（关于类似于RDP的自定义协议），

解密加密密码 [ ^ ]，

< a href =http://www.codeproject.com/Answers/427360/storing-password-value-int-sql-server-with-secure#answer2>以安全的方式存储密码值int sql server [< a href =http://www.codeproject.com/Answers/427360/storing-password-value-int-sql-server-with-secure#answer2target =_ blanktitle =New Window> ^ ]。

-SA

I don't believe such thing can be possible, by the following reason: it if was possible, it would greatly compromise OS security. The idea is: there is a single point in code where the user is authenticated; there are no a work-around, when Windows is already bootstrapped/loaded. If you store the password somewhere on a different system (nothing can prevent you from doing such an unsafe thing), it will be your responsibility, not the responsibility of the authors of the OS.

But if you agree to give someone the opportunity to use the password for authentication just once and then store it somewhere, you can do it in more or less secure way. (Unless you want to create a fixed account with never-changing password and deploy the remote system with such settings, which is possible but does not look flexible enough; what if the customers needs to replace that system?) But you should never store the password itself, because if your application can access it, some user will be able to do it, too, with some considerable effort. This is not really needed. The right way is to use cryptographic hash function, store only the hash and use the hash. Probably, this is possible if you create your own RDP client implementation. Frankly, I'm not sure, because, at this moment, I don't know the detail of authentication via RDP. You can lean if from the very good CodeProject articles:
Remote Desktop using C#.NET[^],
Palantir - Remote Desktop Manager[^].

In the very worse case, you would need to design and implement your own analog of RDP, and that would require you to create the service part as well (please see one of the links below commented with "as to the custom protocol similar to RDP").

To explore the authentication mechanism using the cryptographic hash function, please see: http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].

See also my past answers:
i already encrypt my password but when i log in it gives me an error. how can decrypte it[^],
TCP Connection with username and password[^] (as to the custom protocol similar to RDP),
Decryption of Encrypted Password[^],
storing password value int sql server with secure way[^].

—SA

这篇关于RDP没有向最终用户泄露密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！