Secure windows Impersonation?

Question

In my WPF application I want to allow administrators to test a database connection using integrated security for various other users. So I have a form that allows the admin to enter the domain, username and password and then test it. I am able to securely handle the password right up until I call LogonUser in the advapi32.dll which takes a string password

LogonUser(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref UserHandle)

I have written a utility function which converts the SecureString to a string as safe as possible, and then im calling it on the password in the LogonUser call:

LogonUser(UserName, Domain, Helper.ConvertSafely(Password), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref UserHandle)

Since the signature for LogonUser takes a string, unless LogonUser is taking proper care of the password in its execution, it could still be on my call stack in plain text after the call returns. Is there a more secure way to impersonate a user in which i can be confidant the PW is secure the whole time?

Basically all I need is a WindowsImpersonationContext but i would like to aquire it without the password ever being in plain text.

Answer 1

Inside your managed application you can make use of the SecureString class to handle sensitive information. There is usually no need to roll your own secure string mechanism.

Just before you pinvoke into LogonUser you are then passing the unmanaged copy of the SecureString password. You use the Marshal.SecureStringToGlobalAllocUnicode Method for this. Thus there is never a managed object in your app domain representing the password.

You can find example code in this article.

If you require even more security I would suggest to disallow direct database connection from you wpf clients. You can introduce a middle tier. Security is thus shifted away from the clients to this one server. Communication between Client and App-Server is encrypted and only the app server talks to the database.