1

I'm using DPAPI ProtectData as follow:

var temp = new byte[32]
{
    1,1,1,1,1,1,1,1,
    2,2,2,2,2,2,2,3,
    3,3,3,3,3,3,3,3,
    4,4,4,4,4,4,4,4
};

ProtectedData.Protect(temp, null, DataProtectionScope.CurrentUser);
string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

Lets assume that now temp look likes:

temp = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,....31 };

I want to execute this code from .exe file and also from my WebService (IIS).
The problem is that if I'm running the code from the exe the current user is MyDomain/Administrator and if i'm running the code from WebService the current user is IIS APPPOOL/MyApp.

How can i solve this issue? I'm trying to run from the WebService the .exe file as follow:

Process.Start(@"C:\myexe.exe");

But Its not worked from some reason (i have full access to my iis application) and anyway i dont think this is the right solution for this case.

Note: From security reason i cant change from DataProtectionScope.LocalMachine to DataProtectionScope.CurrentUser

Cœur
  • 37,241
  • 25
  • 195
  • 267
Evyatar
  • 1,107
  • 2
  • 13
  • 36

2 Answers2

3

If you don't want to use DataProtectionScope.CurrentUser, you could install it as LocalMachine to begin with. Then, have the WebService decrypt it, then re-encrypt it using CurrentUser. Make sure to delete the old value and all its transient copies. In this way, you can take it from LocalMachine and lock it down once the appropriate user is running.

This still leaves the key exposed at LocalMachine level, but for a shorter window of time.

Another solution is to use LocalMachine and use the additional entropy feature with a secret shared between the two executables. This could be an obfuscated value known to the application (no "real" security), or a user-provided password. The user-provided password solution could be more secure but is also more of a pain and more programming overhead.

If the time window between installation and WebService running is small, the first solution may be a good fit.

Jirka Hanika
  • 13,301
  • 3
  • 46
  • 75
jtpereyda
  • 6,987
  • 10
  • 51
  • 80
0

The problem was solved.
I running the IIS application from local user.
You can find this by selecting the app pool and clicking Advance Settings... under the Actions pane menu. Select Identity and then click the button beside the current user listed. Select Custom account and click Set. Use the format domain\username for the username and enter the password for the user.

Evyatar
  • 1,107
  • 2
  • 13
  • 36