Important Notice from AspDotNetStorefront
It is with dismay that we report that we have been forced, through the action of hackers, to shut off write-access to this forum. We are keen to leave the wealth of material available to you for research. We have opened a new forum from which our community of users can seek help, support and advice from us and from each other. To post a new question to our community, please visit: http://forums.vortx.com
Results 1 to 9 of 9

Thread: WSI Password

  1. #1
    Amazing is offline Senior Member
    Join Date
    Nov 2008
    Posts
    103

    Default WSI Password

    We are trying to create a WSI interface to do various import/export tasks, but we don't want store the admin password, but rather queries for the Clear Text Password (not salted/hashed).

    Is there a way to do the salting/hashing locally before calling WSI so we don't have to have the salted/hashed password keyed into the GUI?

    What would be needed in the local application to do this?

    Thanks!

  2. #2
    ASPAlfred is offline Senior Member
    Join Date
    Nov 2007
    Posts
    2,244

    Default

    Not sure if you are aware of our sample WSI test program which you could use for your XML import/export tasks. You can download the client application by going to http://www.aspdotnetstorefront.com/d...estProgram.zip

    Upon running that application, you could use either Salted+Hashed (use this if 'Use WSE3 Token Authentication' is checked) or clear text password.

  3. #3
    Amazing is offline Senior Member
    Join Date
    Nov 2008
    Posts
    103

    Default

    Is there some way to restict access to WSI to a speicfic IP, or range of IP's?
    or what is the best way to secure the WSI from hackers (besides HTTPS).

  4. #4
    Amazing is offline Senior Member
    Join Date
    Nov 2008
    Posts
    103

    Default WSI Controlling Access

    Bumping...

    How about if we restrict acess to the App_Code folder in IIS, or moving the ipx.cs file or other critical files into another controlled directory which is IP restricted?

    Any thoughts? It doesn't seem likely that nobody has ever tried to restrict access to WSI.

    Thanks in advance for any tips you may have regarding this...

  5. #5
    ssgumby is offline Senior Member
    Join Date
    Feb 2009
    Posts
    683

    Default

    What type of access restriction do you need? Isnt a secure user/pw enough?

  6. #6
    Amazing is offline Senior Member
    Join Date
    Nov 2008
    Posts
    103

    Default

    Call me paranoid, but I like extra security, firewalls, restrictions etc. Anyone can hack a password given enough tries, but if they can't even try that's all the more better... right?

  7. #7
    ssgumby is offline Senior Member
    Join Date
    Feb 2009
    Posts
    683

    Default

    Quote Originally Posted by Amazing View Post
    Call me paranoid, but I like extra security, firewalls, restrictions etc. Anyone can hack a password given enough tries, but if they can't even try that's all the more better... right?
    Yes, I too am paranoid, but if the password can be cracked so easily wouldnt it also be an issue in the admin? Seems if I could break a pw, I would prefer to just do so and log into the admin.

  8. #8
    Amazing is offline Senior Member
    Join Date
    Nov 2008
    Posts
    103

    Default

    It isn't so much "guessing" the pwd.. what if someone wrote it down, and took it home or emailed it to someone else?

    We are already IPV4 restricting access to the "Admin" folder, so that isn't an issue.
    I guess what I'm getting after now, is can I'm wondering if one moves the ipx.cs file into the Admin folder (which is we are already restricting) and if I change the reference to it in the .asmx file it will still work. I guess I will be trying a couple things. I just can't believe that nobody else is as paranoid as me...

    Or maybe there is a better way to reduce hacking attempt that can occur to WSI?

  9. #9
    ASPAlfred is offline Senior Member
    Join Date
    Nov 2007
    Posts
    2,244

    Default

    You need to see this thread and follow our best security practices.