Storing credentials locally in registry - encryption methods?

Question

I'm having to store a user account locally on a machine, what would be the best method to store this? (Needs to be reversable encryption rather than hash)

I'm accessing a UNC share as mentioned here: Accessing UNC Share from outside domain for file transfer

Using this suggested method: http://www.codeproject.com/KB/IP/ConnectUNCPathCredentials.aspx

This will be an automated process so no option of human entered credentials. I'm currently encrypting the details and storing them in the registry using TripleDES:

http://www.devarticles.com/c/a/VB.Net/String-Encryption-With-Visual-Basic-.NET/4/

With the key and initialization vector hard coded within the application.

Can anyone suggest a better method or changes to the above to secure the credentials as much as possible?

Answer 1

You never ever need to store user credentials. If your process needs to access a network share then it should be run under proper credentials, using runas or service account properties. If the network credential is not in a the local/current domain it should use runas /netonly. And that's all there is to it, no excuses, no exceptions.

As a side note, Windows applications store secrets locally using DPAPI, exposed in .Net as ProtectedData class. The link has fully functional examples of encrypting data with DPAPI in .Net. However, the point remains that storing user credentials in applications, even under DPAPI, is fundamentally broken.