LDAP query for machine account?

A few things to consider:

1. An LDAP query is generally an inward facing mechanism - to query a server for some information about a client.

    

2. The target of the LDAP query would have to be running an LDAP server (or Active Directory services), which a client would not normally be doing.

    

3. As you've discovered, the client side registry check does not return any values other than a "presence of" true/false (is present or equals).

    

Depending on how strongly the need for hardware-based security, you could do some of the following:

1. Install and validate hardware certificates. This process can usually be automated and provides a cryptographic mechanism for hardware assurance. Yes, it can technically be extracted and used on another machine, but then read on.

    

2. Both session.windows_info_os.* and session.windows_machine_info.* give you a ton of (difficult to spoof) data. You could, at the very least:

    

   a. Register each user's machine in a local database (with web/LDAP interface for querying) - you could probably automate the registration process through an APM mechanism.

    

   b. Read and compare things like motherboard, bios, or hard drive serial numbers on subsequent logons.