Not specifically an ElevateDB issue but my client wishes to restrict use of an application I am developing to certain users such that only some can use the application away from "the office".  Since the application is self-contained and the users accesses an ElevateDB server in client-server fashion it is somewhat difficult to restrict the use of the application if a user simply copies the app to a USB stick and takes it home.  I have already developed a user security system to control the functional access to components of the application so I have a backbone to build on.  

The difficulty I'm facing is to somehow detect if the user is running the application from "the office'.  Obviously I can determine the IP address of the user's station as well as the external (assigned to the NAT router by the IP provider) behind which the user's station is running.  Since most offices operate behind a NAT router, the IP's assigned by the DHCP server are usually a non-routeable address.  Since such IP ranges are not unique, I can't rely only on the IP address of the user's station being in a specified range/subnet (i.e. 192.168.1.1-192.168.1.254).  Additionally, if the client's LAN is serviced by an internet provider that only issues a dynamic IP then I can't rely on a "static" external IP address of the stations in "the office" since that could change each day or anytime the router is rebooted.  I understand that each session of an ElevateDB server knows the IP address of the station that has initiated the session but as above, that in of itself is not sufficient to determine if the session was originated from within "the office" or outside the local LAN.

Obviously I could write a messaging service that runs on a server in "the office" LAN that pings the stations on the LAN but obviously wouldn't ping a station outside the router/LAN subnet but that seems like such overkill and needless overhead for such a simple restriction.

Do any of my colleagues on these fine forums have any brilliant suggestions to my client's requirement?

Norman


Never had to do anything of that nature myself. Only one thought occurs to me - have a server side routine that reads the local MAC address and  hard driver serial number and merges them together. Hard code that into the app and check on start up.

Roy Lambert

Roy Lambert wrote:

Norman
Never had to do anything of that nature myself. Only one thought occurs to me - have a server side routine that reads the local MAC address and  hard driver serial number and merges them together. Hard code that into the app and check on start up.

Roy Lambert
--------------------------------
Roy:
What you are implying is to maintain a list of stations on the LAN and compare the user's station to that list in order to confirm that it is a station "in the office".  On the surface, that approach appears to be a maintenance headache  My experience is that stations come and go due to hardware/software failures and users can log in/access the application from any station on the LAN.  I think I need an other approach that doesn't require any administrative maintenance.

Thanks for the suggestion.

Norman,

Would need some more info on various scenarios that are allowed (it
almost lokos like there might be multiple "offices" here) to better
suggest things.

How do the users access the EDB server remotely vs "in the office" -
just by public IP or is there VPN involved.

if they're using a public IP then you can determine that at connect time
and just check that username logging in is allowed remote access (since
DB connection is going to remote IP which you know).

If VPN then see if you can detect that (in our office for example I get
a special DHCP IP for VPN connections) or maybe some other way to check
for the presence of vpn connection.

Other ways to detect if PC is "in the office"

- is the DNS domain on the internal LAN something unique or is
workstation in a windows domain? If either is yes then you can check for
that.

- this is most work but i would not ping workstations from yoru service
but reverse. Have a service running in the office that your app can ping
and if if gets a reponse then it knows it's on the LAN. Can even use
some existing services (like ftp or web server that is internal only).

Raul




On 5/7/2013 12:11 PM, Norman Clark wrote:
> Not specifically an ElevateDB issue but my client wishes to restrict use of an application I am developing to certain users such that only some can use the application away from "the office".  Since the application is self-contained and the users accesses an ElevateDB server in client-server fashion it is somewhat difficult to restrict the use of the application if a user simply copies the app to a USB stick and takes it home.  I have already developed a user security system to control the functional access to components of the application so I have a backbone to build on.
>
> The difficulty I'm facing is to somehow detect if the user is running the application from "the office'.  Obviously I can determine the IP address of the user's station as well as the external (assigned to the NAT router by the IP provider) behind which the user's station is running.  Since most offices operate behind a NAT router, the IP's assigned by the DHCP server are usually a non-routeable address.  Since such IP ranges are not unique, I can't rely only on the IP address of the user's station being in a specified range/subnet (i.e. 192.168.1.1-192.168.1.254).  Additionally, if the client's LAN is serviced by an internet provider that only issues a dynamic IP then I can't rely on a "static" external IP address of the stations in "the office" since that could change each day or anytime the router is rebooted.  I understand that each session of an ElevateDB server knows the IP address of the station that has initiated the session but as above, that in of itself is not sufficien
t to determine if the session was originated from within "the office" or outside the local LAN.
>
> Obviously I could write a messaging service that runs on a server in "the office" LAN that pings the stations on the LAN but obviously wouldn't ping a station outside the router/LAN subnet but that seems like such overkill and needless overhead for such a simple restriction.
>
> Do any of my colleagues on these fine forums have any brilliant suggestions to my client's requirement?
>

Norman,

<< Not specifically an ElevateDB issue but my client wishes to restrict use
of an application I am developing to certain users such that only some can
use the application away from "the office".  Since the application is
self-contained and the users accesses an ElevateDB server in client-server
fashion it is somewhat difficult to restrict the use of the application if a
user simply copies the app to a USB stick and takes it home.  I have already
developed a user security system to control the functional access to
components of the application so I have a backbone to build on.

The difficulty I'm facing is to somehow detect if the user is running the
application from "the office'. >>

Are they using a domain controller and active directory services on their
network in the office ?  If so, then a simple ADS lookup as part of this
event handler in a customized EDB Server (edbsrvr.dpr project) will do what
you want:

http://www.elevatesoft.com/manual?action=viewtype&id=edb2&product=delphi&version=7&type=TEDBServerSessionLoginEvent

You can use the ProcessName that comes through this event to do an ADS
computer lookup.  The part of the ProcessName up to the colon (is the
Windows computer name that can be used for the lookup.  If the lookup fails,
then you can reject the login of the user to the EDB Server.

If you'd like to pursue this, just let me know and I'll post some code.

Tim Young
Elevate Software
www.elevatesoft.com

Norman


Sorry I obviously misunderstood what you were asking.

Just to clarify - anyone is allowed to access your app if they are on the LAN, but only a selected few if on a WAN. Is that what you're saying?

I'd post this over on the Embarcaderoo groups as well. There are some very good people on there as well as a sprinkling of idiots and prats.

Roy Lambert

"Tim Young [Elevate Software]" wrote:

Norman,

<< Not specifically an ElevateDB issue but my client wishes to restrict use
of an application I am developing to certain users such that only some can
use the application away from "the office".  Since the application is
self-contained and the users accesses an ElevateDB server in client-server
fashion it is somewhat difficult to restrict the use of the application if a
user simply copies the app to a USB stick and takes it home.  I have already
developed a user security system to control the functional access to
components of the application so I have a backbone to build on.

The difficulty I'm facing is to somehow detect if the user is running the
application from "the office'. >>

Are they using a domain controller and active directory services on their
network in the office ?  If so, then a simple ADS lookup as part of this
event handler in a customized EDB Server (edbsrvr.dpr project) will do what
you want:

http://www.elevatesoft.com/manual?action=viewtype&id=edb2&product=delphi&version=7&type=TEDBServerSessionLoginEvent

You can use the ProcessName that comes through this event to do an ADS
computer lookup.  The part of the ProcessName up to the colon (is the
Windows computer name that can be used for the lookup.  If the lookup fails,
then you can reject the login of the user to the EDB Server.

If you'd like to pursue this, just let me know and I'll post some code.

Tim Young
Elevate Software
www.elevatesoft.com
------------------------------------------------------------------
Tim:
Good approach but unfortunately I can not guarantee that the application will always be run on a LAN governed by an Active Directory server.  This application will be used by several different companies and not all of them will have an active domain server.  Some could rightly be run on a workgroup LAN.

I've pretty much come to the conclusion that I need to have a small service running on the network that can be queried by the application to confirm a local connection.  Ideally, I could find a very small telnet server running as a service that would produce a  unique "hello there" response to a client socket connection.  I've started looking for such a beast but to date I have not found an example.  I hate to have to roll my own but will venture into the maze of threads and such unless a simple solution surfaces soon.

It would be oh so convenient if the ElevateDB server could somehow know if the session originated from a LAN connection.  On the other hand it is a dumb requirement of my client ... on the other hand, the client is always right

Thanks again,

On 5/8/2013 6:02 PM, Norman Clark wrote:
> I've pretty much come to the conclusion that I need to have a small service running on the network that can be queried by the application to confirm a local connection.  Ideally, I could find a very small telnet server running as a service that would produce a  unique "hello there" response to a client socket connection.

I'd suggest use a web server instead of telnet - easier to query and
return a unique response (just echo client remote IP back or something
like that).

Plenty of light http server around or you can write your own (as i
recall even EDB source code includes one in the edbutils i think or EWB
if you own that)

Raul

Norman,

<< I've pretty much come to the conclusion that I need to have a small
service running on the network that can be queried by the application to
confirm a local connection.  Ideally, I could find a very small telnet
server running as a service that would produce a  unique "hello there"
response to a client socket connection.  I've started looking for such a
beast but to date I have not found an example.  I hate to have to roll my
own but will venture into the maze of threads and such unless a simple
solution surfaces soon. >>

Why not just pop a TEDBEngine component in a small application and use this
event to handle a custom procedure for responding to such requests:

http://www.elevatesoft.com/manual?action=viewevent&id=edb2&product=delphi&version=7&comp=TEDBEngine&event=OnServerProcedure

Then you don't need anything extra in your application besides a separate
TEDBSession component (SessionType=stRemote) along with a couple of settings
that determine the IP address/host/port of your "special server" to connect
to and send the "confirmation request".

Just throwing out ideas here.

Tim Young
Elevate Software
www.elevatesoft.com

"Tim Young [Elevate Software]" wrote:

Norman,

<< I've pretty much come to the conclusion that I need to have a small
service running on the network that can be queried by the application to
confirm a local connection.  Ideally, I could find a very small telnet
server running as a service that would produce a  unique "hello there"
response to a client socket connection.  I've started looking for such a
beast but to date I have not found an example.  I hate to have to roll my
own but will venture into the maze of threads and such unless a simple
solution surfaces soon. >>

Why not just pop a TEDBEngine component in a small application and use this
event to handle a custom procedure for responding to such requests:

http://www.elevatesoft.com/manual?action=viewevent&id=edb2&product=delphi&version=7&comp=TEDBEngine&event=OnServerProcedure

Then you don't need anything extra in your application besides a separate
TEDBSession component (SessionType=stRemote) along with a couple of settings
that determine the IP address/host/port of your "special server" to connect
to and send the "confirmation request".

Just throwing out ideas here.

Tim Young
Elevate Software
www.elevatesoft.com
----------------------------------------------
Tim:  Good suggestion.  I wanted a simple, easy-to-maintain/support solution to this problem so I preferred a service application that could be installed as part of the engine deploy.

I finally wrote a simple TCP service based on Francois Piette's ICS products (http://www.overbyte.be) that would respond to a socket connection from the client application using an uncommon port.  In this way I could be absolutely assured that the application was operating on the LAN hosting the engine.  The other suggested approaches could be thwarted by a knowledgeable user who added an entry to their Hosts file that mapped the local server name to the remote engine port.  Perhaps I overthink these kind of potential problems but I do like my apps to be rather bullet-proof.

Thanks to all for the suggestions.  I anyone needs a copy of the sample service /client code then drop me a line.