PerfectPhase said:staceyw said:*snip*
I don't disagree with what your saying, and have said before in this thread that I don't like the idea. But this is a internal request, and the thread started was started on the premise of 'If you had to....'
The Customer owns the hardware, OS and their people sys admin the box.
We provide a software package that runs on this box. This software has serveral wcf services that talk to each other. They are secured with service accounts and X509 certs.
The apps default trust boundary requires that the admin be deemed trustworthy and assumes we are protecting the system from people the customer does not want to access the system.
The question was what if we want to protect the system from the customer themselves. If we wanted to make some of the wcf service endpoints private.
As has been pointed out in my original post and by AndyC and others this is actually impossible given where the current trust boundaries are; we do not trust the people who run the system under us, the OS.
So the question should have been, how would you slow someone down finding a secret from your code.
Anyway thanks everyone for the discussion.
Tossing some outside-the-box ideas on the wall:
1) I guess you really had to, you could use something like Citrix and keep all the code on server. Then nothing on client side to hack. One of the selling points of this solution.
2) I also wonder if you do something like a VM with your complete client environment running in a ~secure password protected and encrypted VM. The VM would have only your admin rights and user accounts as needed. Local admins would not have access. The clients could remote desktop into app and/or log into the VM as a normal user with no admin rights and use client locally and rely on NT security. Could play with and tune rights (execute only, etc). As a side effect, could also make versioning and change control on the client side a simple matter of shipping or reinstalling a new image file. In effect, your placing a client environment inside a client site still controlled by you. Allowing only remote desktop to your *app (not a console session) would seem to be about the tightest you could get.