CODEWITHSUNDEEP
c#.netsecurityactive-directorydirectoryentry
Corey
Corey

Reputation: 161

DirectoryEntry safe password handling

The DirectoryEntry class requires username and password to be passed in as a string in cleartext. In c#, strings are generally not safe when used for storing sensitive data (there is no way to zero out the memory after use). How can I safely use DirectoryEntry to query the active directory without risking leaving the username in password in the memory?

I do understand that the memory used to store this data will be released back to the heap after use, but it will not be cleared!

If I'm wrong about any of my assertions, please let me know.

https://msdn.microsoft.com/en-us/library/wh2h7eed(v=vs.110).aspx

Upvotes: 1

Views: 2101

Answers (2)

Gabriel Luci
Gabriel Luci

Reputation: 40998

Probably the most secure way is to run the application under the credentials you need to access AD with. If it's a desktop application, then that's easy (just run-as the application with the appropriate credentials).

In ASP.NET, it's a little trickier, but can be done with impersonation (either for the whole request, or just for a section of code): https://support.microsoft.com/en-ca/help/306158/how-to-implement-impersonation-in-an-asp-net-application

Upvotes: 1

Ashigore
Ashigore

Reputation: 4678

There is no way to query LDAP or AD in .NET with credentials that doesn't use plain text.

If you don't want to store passwords in memory then don't use them, give the user(s) the application runs under the rights to do what you need and use windows authentication instead.

Upvotes: 3

Related Questions