Hello All,
I am currently working on making our code more secure, ensuring that credentials (in particular passwords) are not kept plaintext in memory, databases, files, and over the wire.
We put a lot of effort to secure all credentials in memory by either encrypting them or using SecureStrings. In some cases, these encrypted credentials are used as part of a logon or impersonation process, in which case we use the LogonUser API as shown below.
Since LogonUser requires a plaintext password, we make sure to decrypt the assword right before LogonUser is called and clean the string right after. However, I do not understand what happens with the password string in the context of the LogonUser the implementation. For instance, if I am calling LogoUser with a domain account, I would imagine that the credentials would have to make their way to the DNS/AD machine. If the passwords were sent plaintext, someone could sniff them to use in a man-in-the-middle type of attack.
So my questions are:
- How secure is LogonUser? Does it use any type of encryption to communicate with the DNS/AD? What is the flow?
These are probably basic questions for those versed on Windows security.
Any help is greatly appreciated.
Kind regards
CD
[DllImport("advapi32.dll",
SetLastError = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
[return:
MarshalAs(UnmanagedType.Bool)]
internal
static extern bool LogonUser(
[MarshalAs(UnmanagedType.LPStr)]
string pszUserName,
[MarshalAs(UnmanagedType.LPStr)]
string pszDomain,
[MarshalAs(UnmanagedType.LPStr)]
string pszPassword,
int
dwLogonType,
int
dwLogonProvider,
ref
IntPtr phToken);