1

on a Windows local network I have a MySql database, several client applications (that only query the database) and one Windows NT service that fills the database on a regular basis. I am looking for the best way to store database credentials such that all applications can access the database. For the client applications (that are run by normal users) I store the credentials in the Windows credential manager, that as far as I understand is only visible to the specific user.

My question is: Where do I best store the MySql credentials such that the Windows service can access the database?

thanks in advance, Nicolas

NicolasR
  • 2,222
  • 3
  • 23
  • 38

2 Answers2

1

The LsaStorePrivateData and LsaRetrievePrivateData functions are a reasonably straightforward method of storing and retrieving a secret. Data stored in this way can only be retrieved by someone with administrative access to the machine. This doesn't provide 100% protection, but (assuming there are no bugs and that the cryptographic algorithm has not been broken) the protection is as good as is logically possible if the secret has to be retrieved by a system service without manual intervention.

There is no built-in GUI for LsaStorePrivateData. You will need to write some code that uses this function to save the MySql credentials. (This code could, however, be located in the same executable as the system service, and accessed via a command-line option.)

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • This seems to work for my service application. Too bad, that I cannot use the credential store for client and service applications. – NicolasR Aug 27 '12 at 22:29
0

The service runs as a user also, so why can't you use the same approach for it? That assumes that the service runs as its own user, or some other secure account.

Jonathon Reinhart
  • 132,704
  • 33
  • 254
  • 328
  • Ok, assuming the service runs under the local system account and this acccount has a credential store too, how can an administrator access this store to enter the credentials? – NicolasR Aug 27 '12 at 02:16
  • If I assign credentials to the service via "sc.exe config" for an admin account it should be possible to use the Windows credential store of this admin. So, your suggestion is surely a way I should consider. Thanks. – NicolasR Aug 27 '12 at 22:23