My custom .Net process maps a drive with a different account than the current context. The password is stored in the config file, DPAPI encrypted with the machine key.
The code works, but I'm wondering if usage of SecureString would offer additional security. I believe the weakness below lies with the PlainBytes array and the MapPwd and MapDriveCmd strings when they are in memory in plain text.
I've done some research on SecureString, but don't quite understand if it applies here. The three local suspect variables aren't used after the code below. If I keep it as is without SecureString, will the garage collector dispose of these before the process ends?
byte[] CipherBytes = Convert.FromBase64String(ConfigurationManager.AppSettings.Get("MapPwd").Trim());
byte[] PlainBytes = ProtectedData.Unprotect(CipherBytes, null, DataProtectionScope.LocalMachine);
string MapPwd = System.Text.Encoding.UTF8.GetString(PlainBytes);
string MapDriveCmd = "/C net use " + MapLetter + " " + MapPath + " " + MapPwd + " /USER:" + MapUser + " /PERSISTENT:NO";
System.Diagnostics.Process MapDrive = System.Diagnostics.Process.Start("CMD.exe", MapDriveCmd);
MapDrive.WaitForExit();
Any additional comment on the technique in general is welcome. Thanks.
Using SecureString is not going to be very beneficial in your case.
The purpose of SecureString is to provide a way for data to be garbage collected when no longer needed, so that the data doesn't linger in RAM. If the data was kept around, someone could use a debugger (or other similar method) to inspect the processes allocations and potentially get the result.
DPAPI simply isn't very secure. It's not bad...but it's a reversible algorithm. It's far better to use one-way hashing algorithms. However, you cannot do that in this use case. Since you're using DPAPI, any other user of the PC probably has the ability to read your config file. If they can read the config file, and since you're using the machine key, that use can easily decrypt your password by simply calling ProtectedData.Unprotect()
To make this more secure, don't use passwords. If possible, grant permission to an AD machine account or managed service account.