4

I recently read the the following SO question.

What's the best way to store a password or private key on a web host?

It mentions encrypted connection strings (for use in an ASP.NET app) or using the Data Protection API (DPAPI) at the time of this writing. Both seem like good solutions for this user's particular use case.

However, traditionally I've always stored sensitive configuration values like passwords and connection strings in User Environment Variables on the server(s) they are being used on. These are easy to define, change, and read (from an IT perspective). They're also easy to access regardless of the framework or language used.

The question is: Is it good practice to store sensitive data in windows user environment variables and if not, why?

EDIT:

Based on Ken's comments a pre-requisite question should be: Is the windows registry contents encrypted?

Community
  • 1
  • 1
Sean Glover
  • 1,766
  • 18
  • 31
  • What makes you believe that user evnv. vars have "some measure of encryption"? Log in as a different user, create an environmental variable for that user using `Control Panel` (something like `DUMMYVAR=Somedumbthing` works well for the next steps), log in as an admin, and search the registry for `DUMMY` from `regedit`. I can find it and read `Somedumbthing` in plain text. Do you want your credentials stored that way? Using strong encryption or `DPAPI` actually protects the data. "Security" and "easy to access" are usually opposites for a good reason. – Ken White Jun 27 '12 at 23:32
  • I would expect admin users to be able to read all environment variables. What I meant was the registry itself has some measure of encryption. i.e. if a hard disk was physically stolen you can't read the environment variables stored on it as plain text. – Sean Glover Jun 27 '12 at 23:44
  • Again, based on facts not in evidence. :-) Have you tried recovering a Windows registry file from a hard disk using a hex editor? I'm going to trust tried-and-true encryption technology instead of chance, thanks. – Ken White Jun 28 '12 at 00:03

2 Answers2

7

Whatever you store in the User or System Environment is stored in clear text (non-encrypted) in the NTUSER.DAT and SYSTEM registry files. They can be read not only with a hex editor, even with a simple text editor or using grep, even easier if you use one of the many tools to parse/extract data from the registry files.

Example (Windows 2008 Server, dump done with RIP Linux):

This is the Environment Variables dialog, I have set an User variable (MySecretPassword=NobodyCanReadThis) and a System variable (MySystemSecret=NobodyCanReadThisEither): Windows Environment Variables dialog, with one user and one system variables

This is how it looks with hexedit from Linux, after mounting the Windows NTFS partition and looking for the NTUSER.DAT file in the Administrator directory. You can easily search for the user environment variable name and you'll find its content in clear text: hexdump of NTUSER.DAT

This is the SYSTEM registry file from the Windows\System32\Config directory. Again, you can easily search for the variable name. In this case, the value of the variable was several bytes after the variable name, but it was very easy to spot: hexdump of SYSTEM

MV.
  • 947
  • 1
  • 11
  • 14
  • Thanks for taking the time to illustrate this explicitly. I shouldn't have made the assumption that the registry was encrypted before asking this question. – Sean Glover Jun 28 '12 at 01:00
  • You are welcome. I tested it because I wondered too if it was a good idea. I still think you can store some data there (maybe the location of a file containing the passwords), but certainly not secrets. BTW, this server has PHP installed, and the System Environment variable in this example was visible using phpinfo(), so if you allow nontrusted users to upload scripts, they could access the environment too. – MV. Jun 28 '12 at 01:05
1

In addition to the above answers, you can log in as a different user and use a tool such as Sysinternals Process Explorer to look at the running process. One of the tabs lists the environment variables that the process is running with including the not so secret user environment variables.

Was shocked when I saw this and have now changed to use a secured file only accessible by the user running the process.

mekondelta
  • 993
  • 7
  • 17