Windows Security

[bri189a]

An application I am writing connects to several computers. If a domain administrator is running that program it is not a problem as long as the local machine isn't overriding the group policy that puts domain administrators in the local administrators group. However there are a few 'special' and I can't say why, but there is a reason for it, computers that do override this policy, these computers a domain administrator has to connect to using a special username/password authentication. How would I save this information securily... obviously a entery in an Access db that is password protected is to easy to crack for this... how to securly save this kind of information?

 

Also this application has to obtain certain objects from remote computers that are not visible by the Everyone group, only domain admins have that priveldge, yet users need it to, but we don't want them to have direct access to it, only via this application I am writing, so creating a security context for the users wouldn't be prudent, nor would it be viable since we would have to change the security policy on several hundred computers each with several files. So this means that certain functions in this application have to run with elevated privliges if the current user isn't a domain admin or that computer doesn't allow the default domain admin to log in. How do I do this via code?

 

I'm a newbie when it comes to secuirty and the MSDN articles are either to vague or too complex for my needs...so break it down Barney style to me :) - that means talk to me with small words :)

[samsmithnz]

Security has never been one of my strong points, but for the first point, have you considered encrypting the domain password? Then if a user happens to find the password file, all they see is something like this:

JY5/mteFpLk=

 

This is my SQL Server password, that I decrypt when I need it for everyapp... that way if a user comes across the registry key that holds this, it doesn't matter.

[bri189a]

What are you using to Encrypt/Decrypt? One of those many vague articles on MSDN I was reading was talking about this... using custom encryption/decryption being a bad idea - not as sercure because the math is veiwable with a decompiler. Are you holding the key in the code? Something MSDN says is a no-no... Not critisizing... just trying to find out more info....

[PlausiblyDamp]

Have a look under System.Security.Cryptography

 

classes like TripleDES or RSA should be more than adequate for your needs.

[samsmithnz]

What are you using to Encrypt/Decrypt? One of those many vague articles on MSDN I was reading was talking about this... using custom encryption/decryption being a bad idea - not as sercure because the math is veiwable with a decompiler. Are you holding the key in the code? Something MSDN says is a no-no... Not critisizing... just trying to find out more info....

 

I pass a public decryption key into a module that contains the private key. While its true that this could be decompiled, this is not a concern for us. Most of our apps are web apps, so the user doesn't have access to the server side code. Perhaps you could use the dotfucastor to prevent uncompiling?

[bri189a]

Yes I'm reading that now...

 

What've I've gotton is that the key I make to retrieve the data I encrypt should be stored in a key container... however it seems to me that if you decompile (which .NET is easy to do unless your using third party tools like a obfusacator) you now know what the key container is, thus giving you access to the key, thus giving you access to the data... I'm curious, at some point or another your going to have to store something in your code, having your user type in a password, or a key, or anything to get to data is a pain for the user... you have to be saving something in a file somewhere, or have something in your code... am I looking at this too deeply?