如何在C#应用程序中保护服务帐户?
[英]How to secure service account in c# app?
问题描述
I have a service account for my application and in my application work actually as : 
我有一个用于我的应用程序的服务帐户,并且在我的应用程序中,实际上是:
private string SA_myapp = "service_account_myapp@domain.com";
private string SA_myapp_pass = "5tr0ngP455w0rd";
private DirectoryEntry LDAP = new DirectoryEntry("LDAP://" + domainName, SA_myapp, SA_myapp_pass);
It's work as well but I believe it's not the good way do to this. 它也可以正常工作,但我认为这不是好方法。
How can I use my service account with a more secured way in my app ? 如何在我的应用程序中以更安全的方式使用服务帐户?
PS : C# app, Windows, active directory account PS:C#应用程序,Windows,活动目录帐户
1 个解决方案
解决方案1
1 已采纳 2017-10-04 07:05:07
You can use DPAPI to secure the password and store it in registry , so essentially when the service loads itself for the first time it reads the value from one registry key ( say pass_clear ) and then when it starts it check for a value in the key pass_clear , if a value is found it reads it and secures it by calling 您可以使用DPAPI来保护密码并将其存储在注册表中,因此从本质上讲,当服务首次加载自身时,它将从一个注册表项(例如pass_clear)中读取值,然后在启动时检查密钥中的值pass_clear,如果找到一个值,它将读取它并通过调用来保护它的安全
ProtectedData.Protect( pass_clear , s_aditionalEntropy, DataProtectionScope.CurrentUser );
The encrypted byte[] can then be converted to base64 string and stored in another registry key pass_secure , which can then be used by the application / service as and when it need to bind itself to the LDAP port. 然后可以将加密的byte []转换为base64字符串,并存储在另一个注册表项pass_secure中,然后在需要将其自身绑定到LDAP端口时,可以由应用程序/服务使用。
The data protection scope of current user will only allow the service account to decrypt the password and the framework does the key management for you. 当前用户的数据保护范围将仅允许服务帐户解密密码,并且框架为您执行密钥管理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.