1

I wrote a program that reads the UserPrincipal of an User in our Active Directory via PrincipalContext. For this the authentication of a privileged user is needed. At the moment the password for this authentication is saved as plaintext in the source code. Because of security reasons a encrypted password should be saved in the source code or in a different file. Is there a way to solve this?

    const string domain = "";
    const string rooOrganizationalUnit = "";
    const string adDomain = "";
    const string adUserName = "";
    const string adPassword = "";
    private static PrincipalContext GetPrincipalContext()
    {
        PrincipalContext principalContext;

        principalContext = new PrincipalContext(ContextType.Domain, domain, rooOrganizationalUnit, ContextOptions.Negotiate, adUserName + "@" + adDomain, adPassword);

        return principalContext;
    }

(This snippet of code is originally taken from this site)

Tom
  • 337
  • 1
  • 13
  • One of the many options would be to create your custom algorithm to encode/decode text, create DLL of that and call that with encoded password in this program, so it won't be easy for someone else to decode it unless they get the source code for custom function. – Techie Nov 24 '15 at 15:12
  • Why can't you use integrated security? That would remove the requirement to use or store a password. – rene Nov 24 '15 at 15:15
  • 1
    You can put encrypted strings in configuration files, there are ways to take strings and encrypt them after compilation, but its easier to just do it in the configuration file. [See this blog entry](http://weblogs.asp.net/jongalloway/encrypting-passwords-in-a-net-app-config-file) for more details. – Ron Beyer Nov 24 '15 at 15:15
  • 1
    @Nimesh I see many problems with your suggestion. The word *custom* and *security* are incompatible. *Encoded* can be brute-forced in milliseconds with modern attacks based on frequency. There is a big difference between *encoded* and *encrypted*. – oleksii Nov 24 '15 at 15:23
  • @oleksii You're right and I agree but I didn't say that's the best and the only option. Solution can be chosen based on the business criticality too. – Techie Nov 24 '15 at 15:40

1 Answers1

1

You don't want to store this in code either encrypted or not. One of the approaches will be to shift sensitive data off to a config file, type passwords in production only and encrypt that section in the application.

In a config file

<configuration>
    <appSettings>
        <add key="adPassword" value="this should be empty in source controll" />
    </appSettings>
</configuration>

In code

const string adPassword = ConfigurationManager.AppSettings["adPassword"];

Notes

  • you'd want to encrypt config file section, something like this usually works
  • If you need to commit config file anyway, use config file transformation, and commit file as a template. Password will never be committed to source control
oleksii
  • 35,458
  • 16
  • 93
  • 163