The Problem

The company where I work has an ASP.Net Web Application that tracks employee attendance. A link to the Attendance application is in the Startup folder of every user’s PC. The application records on a daily basis the time a user first logs onto his or her PC. On startup, the application determines the network user id and checks the application database to see if the user has already logged in that day. If he or she has not, the date and time, along with the user id is recorded in the database. If he or she has already logged in that day, no database write is done.

This Attendance application has been in place for approximately 3 years and works without a problem. However, it recently came to the attention of the administration that some users with remote access capabilities were abusing the system. In short, they were logging into their PC’s remotely from home, thereby recording a date and time that was earlier than their actual arrival into the office. I was asked to modify the application to disallow this.

Setup

I opted to solve this problem using VBScript and some WMI and ADSI calls. The page that is called when the application is launched on startup is a dummy page that contains various web controls. One of these web controls contains the text the user sees upon successful sign-in to the Attendance application.

The Script

The script performs five tasks to accomplish its goal:

1. It determines the user’s network user id
2. It obtains a list of all remote sessions on the computer
3. It obtains a list of all users associated with those sessions
4. It loops through all user names associated with the remote sessions to see if there’s a match with the network user id identified in step 1, above
5. Based on the results of steps 1-4, above, it either logs the user into the Attendance application and displays a message indicating success, or it displays a message explaining why the user is being denied access

Users access the Attendance application website using Windows Authentication, so to determine the user’s network user id, I use the following standard code in the Session_Start method in Global.asax

The rest of the code is added to the Page_Load method of the application’s Start Page. To get a collection of all remote sessions on the computer I use the code below. LogonType 10 identifies remote sessions in WMI. Note that “\root\cimv2” will return an SWbemServices object that represents the machine’s default namespace on a Windows XP or Windows 2000 machine. If you’re working with a different operating system, check Microsoft’s WMI documentation as to the correct syntax

From within each remote session, I identify the user id(s) associated with that session

and I loop through this list of user id’s looking for a match with the network user id I identified at the beginning of the process

If there is no match (i.e., the user is logging in locally), I load the control indicating success or failure, passing a parameter “flag” set to 1. If there is a match (i.e., the user is logging in remotely), the control is also loaded, but “flag” is set to 0

When the control SignIn_New.ascx is called, the text of the Label object that is used for displaying user messages is set depending on the parameter “flag” that was passed. Further, if the user is logging in locally, he or she is logged into the Attendance application via the addSignIn method, which is also defined in SignIn_New.aspx.vb (code not included)

The complete script follows. The application’s Start Page is signin.aspx.

Listing 1: signin.aspx.vb

Listing 2: SignIn_New.ascx.vb

An Alternative Approach

At one point, I was asked to develop a somewhat different solution, one that would pop up a message window to a remote user and then close the application. The approach I used was essentially the same, but this time I wrapped my code in an HTML application, to enable me to easily close the application when required. To begin, I added an HTML page to my project, but named it with an *.hta extension. I then added the following line to the head section:

Since my code is now client-side code, I needed to use a different method to determine the user’s network user id. I chose to use the ADSI object ADSystemInfo. ADSystemInfo returns a number of pieces of Active Directory-related information about the user logged onto the computer

The UserName property of the ADSystemInfo object is the distinguished name of the user. Its format is similar to:

Therefore, a further line of code is needed to extract only the network user id. Our network user id’s are 5 characters long, so:

Following is the complete code that was added to the HTML Application page

Note that this alternative approach means that no parameters are passed to signin.aspx or recognized by SignIn_New.aspx.

Testing and Deployment of Alternative Approach

An *.hta page cannot be made the Start Page of a VisualStudio project by right-clicking on it in the Solution Explorer pane. Therefore, if you want to run the application from within VisualStudio, you must use an alternate method of setting the HTML application to be the Start Page. Here’s how to proceed:

• Click on the Project dropdown menu in VisualStudio
• Click on the Properties choice (Note that this functionality can not be gotten to via the Properties window under the View dropdown menu)
• Click on the Web tab along the left-hand side
• Under Start Action, choose the *.hta page for the Specific Page textbox
• Save the Properties page and close it

In this way, you can run the application from within VisualStudio and the *.hta page will launch as the Start Page.

The *.hta page is a standalone application, so to deploy this solution, it would’ve been necessary to replace all the links to the Attendance application in the users’ Startup folders with the *.hta page. That was not done as is explained in the Conclusion section.

Conclusion

The disadvantage to the alternative approach using an HTML Application is that the Attendance application can still be accessed by the user if he or she bookmarks the original URL. The first approach more effectively blocks remote users from accessing the application under any circumstances. Therefore, the first approach was the one chosen to be put into production.

About Melanie Peterson

Sorry, no bio is available View complete profile here.