Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Hidden authentication WMI

Posted on 2012-08-22
13
Medium Priority
?
1,346 Views
Last Modified: 2013-11-08
Hi,

I have a console app that monitors our servers. The app is running as a scheduled task in Win XP PRO SP3 under an user with admin rights.

In my console app I need to provide the same user name and password in order to make the WMI calls.
How can I use a more secure approach here? I don't want to hard-code this information within the c# code but rather get the info at runtime from the OS OR find a way to use encrypted password.

Suggetstions?

BR
0
Comment
Question by:peer754
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 9

Expert Comment

by:teebon
ID: 38319908
Hi peer754,

You may store your username and  password encrypted in a config file.
From your console app, read the username and password and decrypt it before passing to WMI call.
0
 

Author Comment

by:peer754
ID: 38323999
Ok, but then I need a way to encrypt the password.
Now, I add the information at design time through Project->Properties->Settings GUI, how do I encrypt my string value holding the password?

How do I later decrypt the password at runtime?
0
 
LVL 16

Expert Comment

by:cantoris
ID: 38334925
I'm not a developer, but can you not just use your existing user credentials (ie those the task is running under) with WMI without having to explicitly specify them again?
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 9

Expert Comment

by:teebon
ID: 38335752
Hi Peer,

You may use this to encryp and decrypt your password:
http://www.codeproject.com/Articles/5719/Simple-encrypting-and-decrypting-data-in-C
0
 

Author Comment

by:peer754
ID: 38340463
Hi teebon,

Thanks for showing willingness to help out! :)

I think I need to clearify some things in my original question.

1. I don't want to store any user credentials in my console app (config file or similar)
2. Since my .exe will be run as a schedueld task on some server, I want to pass the user credentials provided when setting up the task to my WMI calls.
3. I don't aim to show this info but securaly pass the credentials to WMI call.

The WMI call use RDP and needs admin account with password

I think I could get the password as a SecureString through

Process.GetCurrentProcess().StartInfo.Password

Open in new window


OR?

Thanks!
0
 

Author Comment

by:peer754
ID: 38340660
The above attempt is not working getting the password.

This is how I will get username + domain:

            Process thisProc = Process.GetCurrentProcess();
            ObjectQuery objQuery = new ObjectQuery("Select * From Win32_Process where ProcessId='" + thisProc.Id + "'");

            ManagementObjectSearcher mos = new ManagementObjectSearcher(objQuery);

            foreach (ManagementObject mo in mos.Get())
            {

                string[] s = new string[2];

                mo.InvokeMethod("GetOwner", (object[])s);
                clientName = s[0].ToString();
                domain = s[1].ToString();

                break;
            }

Open in new window


Still don't know how to get the password from the process owner??? :(
0
 

Author Comment

by:peer754
ID: 38341124
Ok, thanks!

I will try to be even more precise.

In my WMI call

                        ConnectionOptions connection = new ConnectionOptions();
                        connection.Username = clientName;
                        connection.Password = clientPwd;
                        connection.Authority = domain;
                        ManagementScope scope = new ManagementScope(@"\\" + server + @"\root\CIMV2", connection);
                        scope.Connect();
                        ObjectQuery query = new ObjectQuery("SELECT * FROM Win32_Processor");

Open in new window


I want to pass the password from the process holding my console app with something like this (pseudo code):
connection.Password = ThisRunningProcess.GetPassWord();

Open in new window

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 38341326
I wouldn't write your own, the scheduled task isn't a bad place to keep it, I don't know of any hack or recovery software for scheduled tasks passwords (perhaps one of the pass-the-hash tool sets).
However from a security point of view, I'd like to iterate that you don't need admin as much as you think you might, and that you shouldn't use it as much as you think :) WMI allows permissions to be set on names spaces, it's not a granular as anyone likes, but it can help keep the privilege use low while allowing all the same functionality. You can give a certain user in WMI additional privileges to certain name spaces, so that even if the password was compromised, the accounts abilities are limited to the wmi name spaces not the entire machine or if its a domain account the entire network.
I notice your using the win32_process class, which ordinarily does require administrator access to see ALL users processes, otherwise your limited to only the "users" or "power users" processes.
Scheduled tasks can also run as system, which technically is a higher privileged account than even Admin, so even more caution should be used if using the system account, if someone replaces your exe with their own, then that exe will be run as System giving them full control of the system. This holds true for services that run as the local system as well, windows has some security built around this but not all that much.
I'd suggest editing the WMI permissions of the namespace perhaps during installation of your application.
"Hidden authentication" or security through obscurity is the wrong choice, use the tried and true methods already available in the OS when you can.
http://technet.microsoft.com/en-us/library/cc771551.aspx
-rich
wmi-perms.jpg
0
 

Author Comment

by:peer754
ID: 38346026
Ok, thanks for the advice.

I realize now that I originally wanted to do is not possible at all.
I might go back to the ecrypted password stored in my .exe config as the final solution.
Is there some nice tutorial / recepy that I could use explaining the best practice in how-to encrypt / decrypt the password?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 2000 total points
ID: 38346294
http://www.sans.org/reading_room/whitepapers/securecode/avoid-information-disclosure-managing-windows-wmi_1816
However it does not talk about storing passwords in a script or binary, this is always a no-no to use a static password. Default passwords, esp with ADMIN access are a bigger no no. If it's a must, then make sure the account only has WMI admin access, on XP this isn't very granular but if you mess with dcomcfg.exe and wmimgmt.msc (which is scriptable as well -> http://www.activexperts.com/admin/scripts/wmi/vbscript/0387/)
There are best practices like adding "pktPrivacy" if your connected remotely, but otherwise storing the password, not so good. This is the reason Service accounts exist, install as a service and have the System manage the password security.
http://msdn.microsoft.com/en-us/library/zt39148a%28v=vs.80%29.aspx
-rich
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In real business world data are crucial and sometimes data are shared among different information systems. Hence, an agreeable file transfer protocol need to be established.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month20 days, 14 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question