We have a machine that basically runs as a local system in kiosk mode by auto-logging in as a local machine user.
The user needs to launch a program that runs in a domain account. What we've done in the past is to encrypt the domain, user and password details in a file. Then decrypt them to launch the program (C# Process.Start). This program needs a domain account to use Windows authentication for accessing a SQLServer database.
However this is a security hole, the decryption password is inside the launcher program so someone could inspect the code and get access to a domain account.
Also, we cannot require the users to type in the account details, the users don't know these details, it's a one user for all type of account.
One thought is maybe there's a way to store an access token that I could use to launch the domain program. At least in that scenario the access token wouldn't have the clear text of the password. I looked at Windows Credential Manager but that seems mainly to be used for web sites and wants to store details as text.
Another option I'm investigating is a Windows service. The service would run in a third account and would hold the "secrets". However, I'm not sure how I would launch a process for the kiosk user and have it work properly with the user desktop / UI.
Related
I have an MFC app and WPF app that when run in LocalSystem user can't process any IMEs (Input Method Editors). But the same application when launched in user mode was able to receive IME inputs from keystrokes and from IMEPad.
In the LocalSystem user process, when keyboard focus is in the control (both WPF and MFC) the IME icon becomes "X" like the following image:
I can't launch in the user mode by default as I have to perform higher privileged operations with my app. I am not able to find any explicit thread in Microsoft forums or elsewhere that talks about my issue.
Have you faced this issue? This seems like a restriction in Windows rather than an issue, do you know how to work around it. Any valuable input regarding this is appreciated.
Edit:
LocalSystem account is not associated with any user. As mentioned in msdn :
The account is not associated with any logged-on user account.
This could be the reason why Windows can't enable IME on System user. It does not know the language set in the current user. Is there anyway to force/bypass to consider Logged user's locale.
The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.
A service that runs in the context of the LocalSystem account inherits the security context of the SCM. The user SID is created from the SECURITY_LOCAL_SYSTEM_RID value. The account is not associated with any logged-on user account. This has several implications:
The registry key HKEY_CURRENT_USER is associated with the default user, not the current user.
To access another user's profile,impersonate the user, then access HKEY_CURRENT_USER.
The service can open the registry key HKEY_LOCAL_MACHINE\SECURITY.
The service presents the computer's credentials to remote servers. If the service opens a command window and runs a batch file, the user could hit CTRL+C to terminate the batch file and gain access to a command window with LocalSystem permissions.
So if you need to run app as a LocalSystem account and you are not happy with default user settings you can 2 things:
Impersonate another user, this is common tactic (Impersonate user in Windows Service)
Set language preferences (or whatever you need) to default user. Here is an example for Win10 for and language issue (https://www.microcloud.nl/windows-virtual-desktop-dutch-language-pack/#more-1311).
Demystifying error - If you are using VS, you can try enable more logging, https://learn.microsoft.com/en-us/visualstudio/ide/reference/devenv-command-line-switches?view=vs-2022 and figure out what the tool is not able to get from default user. You also can attach VS debugger to running process, see msdn article (https://learn.microsoft.com/en-us/visualstudio/debugger/attach-to-running-processes-with-the-visual-studio-debugger?view=vs-2022)
I've been tasked with setting up default admin credentials for a .NET desktop application. As of right now, the application uses Windows admin credentials to access the manager page and I would like to add a local default admin account.
I imagine the user will go through the following process:
(1) Clean install of application
(2) User launches application
(3) App is in "logged out" state
(4) User logs in as manager with the provided default credentials (provided in user guide)
(5) Once logged in for the first time, prompt user to update local default credentials to a more secure password
After doing some research on google and stack overflow, I read that I definitely should not hard code the user credentials in the source code. I'm thinking of storing the default username/password in the app.config file. Then, in the manager page, the user can update the current username/password to something more secure. There will only be ONE local admin account so the username/password from the app.config file will need to be updated?
In other words, the default user credentials will be stored in app config. Then, modified whenever the user updates the local credentials. Does this approach work for the situation I described above? If not, I would appreciate any ideas. I've looked into DPApi as well but would prefer a simpler approach.
If you don't want use Active directory, AZMan or other popular solutions, you can store credentials in multiple ways:
In binary file with your own coding pattern.
In embedded databases such as SQlite.
Save credentials in windows registry.
Storing sensitive data in app.config is bad way.
I am working in C# on a web application that requires a login username and password. This application is made to be compatible with Windows and is being written in VS 2013. In this company's network, all computers require user credentials, and in all cases the user's credentials for the app will be the same as their Windows logon credentials. Therefore we are trying to implement a system where, instead of signing onto Windows and then entering the same credentials again in the app, the app can access the Windows credentials that were given by the current user and attempt to sign in automatically with those. I know there is a way to do this using active directory with Azure, but for the time being we are trying to avoid using Azure. I have tried using WindowsIdentity.GetCurrent() and Environment.UserName so far, but both of those only supply the username, not the password, and we need the full credentials. It wouldn't shock me if this cannot be done in this way for security purposes, but if there is a way it would be incredibly helpful. Does anyone know of a way to access the current user's credentials? Thanks
You don't need Azure to accomplish this. Your application pool simply needs to have Windows Authentication enabled. You will not have access to the password, however.
After that, you will need to most likely write a HttpHandler which will get the HttpContext.Current.User.Identity value and check it against a database or collection of authorized users. You don't need to "re-authenticate".
I am developing a c# Winforms application that runs as a normal user (no elivated privilages) under windows7. The application needs to access a folder that is present on another domain - not the domain the user signed in under.
I would like to know how to ask the user to enter the new credentials needed to access the folder and the files it contains, on the other domain, from within the application.
Ideally, I would like to pop-up a credentials dialog, similar to what windows curently does, asking for the userid, password and domain. I am unsure how to do this and what to do with the values the user would provide so the folder's files can be accessed.
An example would be very good.
thanks
c# user
You can used advapi32.dll methods to impersonate a specific user in your code. Have a look at this article.
You can prompt for details using the CredUIPromptForWindowsCredentials function.
If you're connecting to a file share, you don't need to impersonate a user; you can just pass the other credentials to the WNetAddConnection3 function.
To call it from C#, you'll need P/Invoke.
How can a C# program running as LocalSystem impersonate the login identity of another user temporarily? Roughly speaking I have a Windows Service that I'd like to run as LocalSystem but at times impersonate user XYZ (when connecting to a db using windows integrated security).
Most important of all: Is there a way to do this without knowing the other user's password?
Note: if a password is mandatory is there a recommended strategy for storing a password securely (c# and/or vbscript).
It's possible, although it requires you to do a lot of code. See NtCreateToken and CreateToken. You need SeCreateTokenPrivilege, although that won't be a problem since you're running under NT AUTHORITY\SYSTEM. You can then use the created token to impersonate inside a thread.
Short answer: you can't without the user password or the user calling your service through COM.
To impersonate another user in your process, you have to call ImpersonateLoggedOnUser. ImpersonateLoggedOnUser requires a token handle. There are several ways you can obtain token handle:
by logging on as the user with LogonUser. This however requires you to know the user password.
by duplicating an existing token with CreateRestrictedToken, DuplicateToken, or DuplicateTokenEx.
by opening the token from another process or thread, that already is loggen on as the user, with OpenProcessToken or OpenThreadToken
For the password storing part, you may want to have a look at this question asked recently.
This was my answer:
You could/should use the DPAPI, the Data Protection API that provides storage encryption.
It's there just for this type of problem.
Encryption of the storage is based on either:
the user account, so only the logged-in user can access the data. This makes the data transferable to another PC with the exact same user credentials.
the machine, making the data only accessible on that particular machine setup and not transferable to another PC.
There is a dnrTV show with Karl Franklin showing exactly what's needed to implement this, and other encryption functions.
The source code from the show is also available on the page.
There are, of course, lots of other articles on that subject.