Secure storage of admin credentials
Secure storage of admin credentials
Secure storage of admin credentials
Secure storage of admin credentials
Secure storage of admin credentials
Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials
Secure storage of admin credentials Secure storage of admin credentials
Secure storage of admin credentials
Go Back  Xtreme Visual Basic Talk > > > Secure storage of admin credentials


Reply
 
Thread Tools Display Modes
  #1  
Old 05-26-2011, 12:52 PM
DoughBoy DoughBoy is offline
Centurion
 
Join Date: Jun 2006
Posts: 196
Default Secure storage of admin credentials


Hello Everyone,

I have an ASP.NET application that is running some server-batch processes that require admin credentials. I would prefer to have some sort of protected retrieval of this admin password instead of storing the username/password on the ASPX page as a visible string.

Can anyone offer a method of a protected storage and retrieval?

Thanks to all for their help.


*Edit*
Here's my initial thought:
- Create a secure password as a System.Security.SecureString
- Export the secure string to a binary file on the server
- When executing the server process, open the binary file and convert to a SecureString object
- Load this object as the process' password

What do you all think about this idea? I'll be working on this until someone speaks up about this thread.

Last edited by DoughBoy; 05-26-2011 at 01:05 PM. Reason: Forgot to include my initial stab (the thought process I'll be working on)
Reply With Quote
  #2  
Old 05-26-2011, 01:46 PM
PlausiblyDamp's Avatar
PlausiblyDampSecure storage of admin credentials PlausiblyDamp is offline
Ultimate Contributor

Forum Leader
* Expert *
 
Join Date: Nov 2003
Location: Newport, Wales
Posts: 2,058
Default

You could store them in the web.config but use aspnet_regsql.exe to encrypt that section.

http://odetocode.com/blogs/scott/arc...-sections.aspx gives a really good example of how you can do this.
__________________
Intellectuals solve problems; geniuses prevent them.
-- Albert Einstein

Posting Guidelines Forum Rules Use the code tags
Reply With Quote
  #3  
Old 05-27-2011, 04:16 PM
DoughBoy DoughBoy is offline
Centurion
 
Join Date: Jun 2006
Posts: 196
Default

Hi PlausiblyDamp, thanks for your comment. Yes, that would work too.

For everyone, converting System.Security.SecureString needs to be serializable. One can create an object to become serializable. The method I suggested could work, but is unwise. Similarily, storing the admin password to any file despite it being encrypted I think is unwise.

The method I discovered and implemented is to move all admin-related tasks (such as executing a process and etc.) to a WCF application. This application sits on the IIS server running under a different application pool than the targeted web application. The WCF application's pool is being ran as the administrator. I then removed IIS_IUSERS from accessing this WCF application. Leaving my targeted web application as the only access point, calling the service when the specific admin task is required.

I feel that this new method is a more secure way of allowing admin rights to a web application, but still maintaining some distance, from the general public. Please post back with your comments and questions.

Thanks.
Reply With Quote
  #4  
Old 06-01-2011, 11:37 AM
alexsts alexsts is offline
Freshman
 
Join Date: Apr 2010
Posts: 32
Default

Why don't you encrypt entire string and in app call for decryption?
You can encrypt string before place in app config or web.config file as a string value.
I have stand alone encrypting windows app and inside web app/site decryption function.
Easy as pie. Look at BlowFish app as example.
No delays, no headaches since decryption is a part of app itself, and most important only authorized person have access to encryption program, but even that person have no clue what algorithm was used for encryption.
Tested against variety of hacking tools.
According to report it will take 72 years to break single string encrypted that way!!! And we tested just a password, not entire connection string as we have in web.config file.
That is why I am pretty sure that our data is safe and secure.

Last edited by alexsts; 06-01-2011 at 11:43 AM.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump

Advertisement:





Free Publications
The ASP.NET 2.0 Anthology
101 Essential Tips, Tricks & Hacks - Free 156 Page Preview. Learn the most practical features and best approaches for ASP.NET.
subscribe
Programmers Heaven C# School Book -Free 338 Page eBook
The Programmers Heaven C# School book covers the .NET framework and the C# language.
subscribe
Build Your Own ASP.NET 3.5 Web Site Using C# & VB, 3rd Edition - Free 219 Page Preview!
This comprehensive step-by-step guide will help get your database-driven ASP.NET web site up and running in no time..
subscribe
Secure storage of admin credentials
Secure storage of admin credentials
Secure storage of admin credentials Secure storage of admin credentials
Secure storage of admin credentials
Secure storage of admin credentials
Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials Secure storage of admin credentials
Secure storage of admin credentials
Secure storage of admin credentials
 
Secure storage of admin credentials
Secure storage of admin credentials
 
-->