堆栈内存溢出
  简体   繁体   English

如何在c#Web应用程序/服务中保护敏感密码?

[英]How should I protect sensitive passwords in my c# web apps/services?

 原文  2013-04-23 18:35:51       c#/ asp.net/ asp.net-mvc/ security/ windows-services

问题描述

I'm writing a service that allows users on my corporate domain to perform limited active directory operations. 我正在编写一项服务,该服务允许公司域中的用户执行有限的活动目录操作。 These users don't have permissions to AD themselves but the site authenticates as a shared user that can do things like unlock an account (for example). 这些用户没有自己的AD权限,但是网站以共享用户身份进行身份验证,该用户可以执行诸如解锁帐户之类的操作。

The password in my code is currently in plaintext 我的代码中的密码目前为纯文本格式

Is there a recommended method out there for me to protect this password? 有没有推荐的方法可以保护我的密码? Obviously someone would have to decompile the website binaries to get access to it, but I don't feel like that's enough protection. 显然,有人必须对网站二进制文件进行反编译才能访问它,但是我觉得这还不够。

For background i'm using the newer System.DirectoryServices.AccountManagement methods in C# for doing this, so i have: 对于背景,我正在使用C#中较新的System.DirectoryServices.AccountManagement方法来执行此操作,因此我有: 

PrincipalContext pc = new PrincipalContext(ContextType.Domain, "MYDOMAIN", "theuser", "thepassword");

Any tips appreciated! 任何提示表示赞赏! Otherwise i might just resort to obfuscation, encrypting it and employing several badger-warren-like classes to decrypt the values 否则,我可能只会求助于混淆,对其进行加密,并使用几个类似badge的类来解密值

1 个解决方案

解决方案1
 3  2013-04-23 18:46:30

I think the best way would be to have the application pool identity have enough permissions to do the necessary work within Active Directory. 我认为最好的方法是使应用程序池标识具有足够的权限,以在Active Directory中进行必要的工作。 That would allow the web application to run with without the need of a hard coded username and password. 这将允许Web应用程序运行,而无需硬编码的用户名和密码。 You may need help from a sysadmin to get this setup. 您可能需要系统管理员的帮助才能进行此设置。

Remember, obfuscation only works so well. 请记住,混淆处理效果很好。 Obfuscated code does have to be de-obfuscated before executing so the processor can understand it. 在执行之前,必须对混淆的代码进行去混淆,以便处理器能够理解它。 If someone is determined, this can be defeated. 如果确定某人,这可以被击败。 But if that is happening, you probably have more than this as a security issue. 但是,如果发生这种情况,那么作为安全问题,您可能还不止这些。

And lastly, the user you connecting to active directory with should have the least amount of access possible to mitigate any possible damage in the event the username and password is discovered. 最后,连接到活动目录的用户应该具有最少的访问权限,以减轻发现用户名和密码时可能造成的损害。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我应该从哪里开始使用带有C#Client的PHP的Web服务? - Where should I start for Web Services with PHP with C# Client? 如何在我的VB.net应用程序中使用c#web服务处理区分大小写的类和方法 - How do I handle case sensitive classes and methods from a c# web service in my VB.net app 我是否应该从C#调用中保护我的F#代码 - Should I null-protect my F# code from C# calls 布尔方法如何不区分大小写的C#返回 - How a Boolean method should not return for case sensitive c# 如果我的代码无法使用C#连接Web服务,应如何尝试3次? - How should I try 3 times if my code failed to connect a web service in C#? C#Web服务 - C# web services 如何保护我的 C# 应用程序免受 memory 转储攻击? - How do I protect my C# app from memory dump attack? 在非托管DLL中调用方法时,如何保护C#应用程序免于崩溃? - How do I protect my C# app from crashing when calling a method in an unmanaged DLL? 如何让Java应用程序与控制台C#应用程序交互? - How do I let my Java apps interact with my console C# apps? 如何在 C# 中调用 Web 服务 - How to call web Services in C#
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM