Thread: WSI Password

We are trying to create a WSI interface to do various import/export tasks, but we don't want store the admin password, but rather queries for the Clear Text Password (not salted/hashed).

Is there a way to do the salting/hashing locally before calling WSI so we don't have to have the salted/hashed password keyed into the GUI?

What would be needed in the local application to do this?

Thanks!

Not sure if you are aware of our sample WSI test program which you could use for your XML import/export tasks. You can download the client application by going to http://www.aspdotnetstorefront.com/d...estProgram.zip

Upon running that application, you could use either Salted+Hashed (use this if 'Use WSE3 Token Authentication' is checked) or clear text password.

Is there some way to restict access to WSI to a speicfic IP, or range of IP's?
or what is the best way to secure the WSI from hackers (besides HTTPS).

Bumping...

How about if we restrict acess to the App_Code folder in IIS, or moving the ipx.cs file or other critical files into another controlled directory which is IP restricted?

Any thoughts? It doesn't seem likely that nobody has ever tried to restrict access to WSI.

Thanks in advance for any tips you may have regarding this...

What type of access restriction do you need? Isnt a secure user/pw enough?

Call me paranoid, but I like extra security, firewalls, restrictions etc. Anyone can hack a password given enough tries, but if they can't even try that's all the more better... right?

Originally Posted by Amazing

Call me paranoid, but I like extra security, firewalls, restrictions etc. Anyone can hack a password given enough tries, but if they can't even try that's all the more better... right?

Yes, I too am paranoid, but if the password can be cracked so easily wouldnt it also be an issue in the admin? Seems if I could break a pw, I would prefer to just do so and log into the admin.

It isn't so much "guessing" the pwd.. what if someone wrote it down, and took it home or emailed it to someone else?

We are already IPV4 restricting access to the "Admin" folder, so that isn't an issue.
I guess what I'm getting after now, is can I'm wondering if one moves the ipx.cs file into the Admin folder (which is we are already restricting) and if I change the reference to it in the .asmx file it will still work. I guess I will be trying a couple things. I just can't believe that nobody else is as paranoid as me...

Or maybe there is a better way to reduce hacking attempt that can occur to WSI?

You need to see this thread and follow our best security practices.