安全窗口假冒？

Question

In my WPF application I want to allow administrators to test a database connection using integrated security for various other users. So I have a form that allows the admin to enter the domain, username and password and then test it. I am able to securely handle the password right up until I call LogonUser in the advapi32.dll which takes a string password

LogonUser(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref UserHandle)

I have written a utility function which converts the SecureString to a string as safe as possible, and then im calling it on the password in the LogonUser call:

LogonUser(UserName, Domain, Helper.ConvertSafely(Password), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref UserHandle)

Since the signature for LogonUser takes a string, unless LogonUser is taking proper care of the password in its execution, it could still be on my call stack in plain text after the call returns. Is there a more secure way to impersonate a user in which i can be confidant the PW is secure the whole time?

Basically all I need is a WindowsImpersonationContext but i would like to aquire it without the password ever being in plain text.

Answer 1

Inside your managed application you can make use of the SecureString class to handle sensitive information. There is usually no need to roll your own secure string mechanism.

Just before you pinvoke into LogonUser you are then passing the unmanaged copy of the SecureString password. You use the Marshal.SecureStringToGlobalAllocUnicode Method for this. Thus there is never a managed object in your app domain representing the password.

You can find example code in this article.

If you require even more security I would suggest to disallow direct database connection from you wpf clients. You can introduce a middle tier. Security is thus shifted away from the clients to this one server. Communication between Client and App-Server is encrypted and only the app server talks to the database.

Answer 2

If the user you want to impersonate is already logged on the machine (for example in another session), here is an answer: Is it possible for a Windows service impersonate a user without a password?

If he's not, you'll have to provide a password to LogonUser. And this password will have to reside at least a small amount of time, as is, in memory because that's the way LogonUser is defined. Note not all auth packages require passwords (like biometrics or smart card: Windows Authentication Overview ).

So if you really want impersonation, somewhere you'll have to pass a password around. In this case make sure you use postlagerkarte's code from Microsoft for this: Marshal.SecureStringToGlobalAllocUnicode Method sample code

You can't really do much more.

Answer 3

Update:

You could implement an encrypted app.config . You can do this through several different approaches:

• Protecting Connection Information
• Windows Data Protection

So how this would work, is when an Administrator inserts the credentials you would decrypt the app.config modify the key/value with the new credentials. Then once it is inserted it encrypts the config file again.

So it is exposed minimally, but also the data is inserted through encapsulation which helps hide it as well.

This is one approach, though a SecureString will work it expects a char[] . Which in some instances may not be ideal when interfacing through the advapi32.dll .