I would like to know the best way to store credentials in a c# application.
I am writing some administrative tools and will need to store username and
password information for a domain account with elevated privileges. While I
am sure this is not a "best practice" I have not come up with a way around
this as not all users of the app will have the permissions on their accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
13  12621 
Hi Adam,
There are a lot of discussion on the best practise of storing password
securely. Basically, you may use Data Protection API such as
CryptProtectMemory and CryptProtectData to encapsulate the clear text
password, .Net also provided some encryption classes for this purpose. I
would recommend the articles below for you:
"How To Store Secrets On A Machine " http://pluralsight.com/wiki/default....StoreSecretsOn
AMachine
"The Art & Science of Storing Passwords" http://www.codeproject.com/cs/algori...gPasswords.asp
"Secure Coding Technique: A Better C# Password Dialog Box" http://www.codeproject.com/csharp/passworddialog.asp
Additionally, MSDN contains 2 best practise articles on handling password
in Win32, for your information:
"Password Threat Assessment" http://msdn2.microsoft.com/en-us/library/ms717800.aspx
"Threat Mitigation Techniques" http://msdn2.microsoft.com/en-us/library/ms717803.aspx
Hope it helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and then
use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Adam S" <Adam S@community.nospamwrote in message
news:71**********************************@microsof t.com...
>I would like to know the best way to store credentials in a c# application.
I am writing some administrative tools and will need to store username and
password information for a domain account with elevated privileges. While
I
am sure this is not a "best practice" I have not come up with a way around
this as not all users of the app will have the permissions on their
accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
Hi Nicholas,
I am not advocating storing password in application memory. As Adam already
pointed out himself, he knows that this is not a "best practice". However,
there will be scenario that the application really needs to store password.
Per the request of the poster, I am providing the best practise articles of
dealing with password.
Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.comschrieb
im Newsbeitrag news:27**********************************@microsof t.com...
Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and
then use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
The scenario of the OP seems to be, that the user shouldn't know the login.
from OP: "not all users of the app will have the permissions on their
accounts."
Christof
If it is a network application, could you not centralise the
"Administrative" tools in an internal web service or installed component?
Then there is no need to store the password as the centralised component
would be installed to run under the correct credentials.
"Adam S" <Adam S@community.nospamwrote in message
news:71**********************************@microsof t.com...
>I would like to know the best way to store credentials in a c# application.
I am writing some administrative tools and will need to store username and
password information for a domain account with elevated privileges. While
I
am sure this is not a "best practice" I have not come up with a way around
this as not all users of the app will have the permissions on their
accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
Nick,
Your recommendation would be to store the username and password in a
database? I guess I am trying to figure out how that is going to help me out
in this scenario. Can you offer any additional info?
Thanks
--
Adam S
"Nicholas Paldino [.NET/C# MVP]" wrote:
Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and then
use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Adam S" <Adam S@community.nospamwrote in message
news:71**********************************@microsof t.com...
I would like to know the best way to store credentials in a c# application.
I am writing some administrative tools and will need to store username and
password information for a domain account with elevated privileges. While
I
am sure this is not a "best practice" I have not come up with a way around
this as not all users of the app will have the permissions on their
accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
I get that, but I can't even begin to tell you what a monumentally bad
idea that is. If a user doesn't have permission to perform an action, there
is a very good reason for it, and if they need to perform an action, they
should know the credentials of an account which can perform it, or they
should be given rights to do it.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Christof Nordiek" <cn@nospam.dewrote in message
news:uD*************@TK2MSFTNGP06.phx.gbl...
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.comschrieb
im Newsbeitrag news:27**********************************@microsof t.com...
>Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and
then use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
The scenario of the OP seems to be, that the user shouldn't know the
login.
from OP: "not all users of the app will have the permissions on their
accounts."
Christof
No, I'm saying that you really should get your permissions set up
correctly and not embed username and password information in your app. The
fact of the matter is that if you embed this information in your app, then
the likelihood of that information being extracted and users increases.
Better that you don't give them that opportunity.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Adam S" <Adam S@community.nospamwrote in message
news:4D**********************************@microsof t.com...
Nick,
Your recommendation would be to store the username and password in a
database? I guess I am trying to figure out how that is going to help me
out
in this scenario. Can you offer any additional info?
Thanks
--
Adam S
"Nicholas Paldino [.NET/C# MVP]" wrote:
>Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and
then
use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Adam S" <Adam S@community.nospamwrote in message
news:71**********************************@microso ft.com...
>I would like to know the best way to store credentials in a c#
application.
I am writing some administrative tools and will need to store username
and
password information for a domain account with elevated privileges.
While
I
am sure this is not a "best practice" I have not come up with a way
around
this as not all users of the app will have the permissions on their
accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.comschrieb
im Newsbeitrag news:8A**********************************@microsof t.com...
I get that, but I can't even begin to tell you what a monumentally bad
idea that is. If a user doesn't have permission to perform an action,
there is a very good reason for it, and if they need to perform an action,
they should know the credentials of an account which can perform it, or
they should be given rights to do it.
But when I start a service, the service may run under a service account and
may have permissions that the I don't have.
Another example would be a server application like a web application on ISS.
The web application can, on behalf of the user, can do things, the user
wouldn't be able directly.
Maybe this is a solution for the OP also: Make a Webservice or a
WindowsService and then configure it, to use an account with the aproppriate
permissions.
BTW How does the Service Console store credentials?
Christof
Right, but those programs are running under a set of user credentials,
the credentials are not embedded anywhere in those apps. This user is
suggesting embedding the credentials in his application somehow.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Christof Nordiek" <cn@nospam.dewrote in message
news:O%****************@TK2MSFTNGP02.phx.gbl...
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.comschrieb
im Newsbeitrag news:8A**********************************@microsof t.com...
> I get that, but I can't even begin to tell you what a monumentally bad
idea that is. If a user doesn't have permission to perform an action,
there is a very good reason for it, and if they need to perform an
action, they should know the credentials of an account which can perform
it, or they should be given rights to do it.
But when I start a service, the service may run under a service account
and may have permissions that the I don't have.
Another example would be a server application like a web application on
ISS. The web application can, on behalf of the user, can do things, the
user wouldn't be able directly.
Maybe this is a solution for the OP also: Make a Webservice or a
WindowsService and then configure it, to use an account with the
aproppriate permissions.
BTW How does the Service Console store credentials?
Christof
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.comschrieb
im Newsbeitrag news:35**********************************@microsof t.com...
Right, but those programs are running under a set of user credentials,
the credentials are not embedded anywhere in those apps. This user is
suggesting embedding the credentials in his application somehow.
I suppose he only wants a the programm to use credentials, not given to him
by the user.
Surely someone has to provide the credentials, (or the programm has to be
the system itself). ;-)
But this could be done by an administrator e.g. while installation, or it
could be done "by the programmer", so that the credentials are really stored
inside the app (in its binaries). The last surely is best practice, as the
OP itself says.
Christof
Hi,
I would agree with Nich. It's a bad idea!
But, I my self had to use crypto providers to store SQL server
credentials (I used ProtectSection of configuration manager) in cases
Windows NT authentication can't be used.
Anyhow, I think it's a bad idea and if you can, don't do it! =)
Moty
Hi Adam,
How about this issue now? Do all the replies make sense to you? If you
still need any help or have any concern, please feel free to feedback,
thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Angelo Vargheese |
last post by:
Hi,
I am trying to retrieve XML created by ASP pages on different servers
and display them on a single ASP.Net page.
I was planning to use the XMLDocument and XMLResolver objects like
below:
...
|
by: Grind Boy |
last post by:
Hi,
I'm writing this off the top of my head as I don't have the exact
information to hand.
We are attempting to set up a secure internet site using ASP.NET on IIS5.
We are having some...
|
by: Chris L |
last post by:
Hello,
I'm hoping to find out if it is possible to connect
within an ASP.NET application to Active Directory with
the credentials of the person who accessed the ASP.NET
application via IIS,...
|
by: elora_c |
last post by:
I'm making a call to a webservice from my ASP.NET page. The web
application has anonymous access turned off and Integrated Windows auth
turned on. The web.config has <identity impersonate=true>. ...
|
by: Wild Wind |
last post by:
Hello,
I have an application which calls a web service across the
Internet from a client machine.
The site that I have deployed the application to is such that
to browse the Internet using a...
|
by: Gerhard |
last post by:
I have an application that needs to be able to upload documents that can
latter be accessed and opened by a hyperlink. I can do this easliy if I
store the files in a subdirectory in the...
|
by: Christof Nordiek |
last post by:
I'm writing a windows service wich shall be able to access certain resources
(files etc). So accessrights will have to be configurable by a local
administrator.
One option is to use the account...
|
by: Mythran |
last post by:
We followed an example found on MSDN to create an encrypted
FormsAuthenticationTicket and storing the ticket in a cookie. Is this the
"correct" way to store the authentication ticket? We are...
|
by: Wimpie van Lingen |
last post by:
Hey
I have some more questions with regards to Remoting in .NET 2. I'm using TCP with the Binary formatter.
My solution consists of 4 projects:
- Class Library containing the server classes...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
