none
How secure is the LogonUser API? RRS feed

  • Question

  • Hello All, 

    I am currently working on making our code more secure, ensuring that credentials (in particular passwords) are not kept plaintext in memory, databases, files, and over the wire.

    We put a lot of effort to secure all credentials in memory by either encrypting them or using SecureStrings. In some cases, these encrypted credentials are used as part of a logon or impersonation process, in which case we use the LogonUser API as shown below.

    Since LogonUser requires a plaintext password, we make sure to decrypt the assword right before LogonUser is called and clean the string right after. However, I do not understand what happens with the password string in the context of the LogonUser the implementation. For instance, if I am calling LogoUser with a domain account, I would imagine that the credentials would have to make their way to the DNS/AD machine. If the passwords were sent plaintext, someone could sniff them to use in a man-in-the-middle type of attack.

    So my questions are:

    - How secure is LogonUser? Does it use any type of encryption to communicate with the DNS/AD? What is the flow? 

    These are probably basic questions for those versed on Windows security. 

    Any help is greatly appreciated. 

    Kind regards

    CD

    [DllImport("advapi32.dll", SetLastError = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]

    [return: MarshalAs(UnmanagedType.Bool)]
    internal static extern bool LogonUser(
      [MarshalAs(UnmanagedType.LPStr)] string pszUserName,
      [MarshalAs(UnmanagedType.LPStr)] string pszDomain,
      [MarshalAs(UnmanagedType.LPStr)] string pszPassword,
      int dwLogonType,
      int dwLogonProvider,
      ref IntPtr phToken);

    Friday, September 7, 2018 7:18 PM

Answers

All replies

  • I would be doubltful it's fully secure, see the following (in C#), read the full page if time permits.

    Please remember to mark the replies as answers if they help and unmark them if they provide no help, this will help others who are looking for solutions to the same or similar problem. Contact via my Twitter (Karen Payne) or Facebook (Karen Payne) via my MSDN profile but will not answer coding question on either.
    VB Forums - moderator
    profile for Karen Payne on Stack Exchange, a network of free, community-driven Q&A sites

    Friday, September 7, 2018 9:31 PM
    Moderator
  • Hello Karen, 

    Thank you for your reply. I read the examples in the link you sent. We are using SecureStringToGlobalAllocUnicode (System.Security.SecureString s) as indicated in the link. My code is pasted below. You will see that at some point I call LogonUser. 

    My original question still remains. What happens with the "IntPtr password" parameter? Is there any OS/kernel/.NET specific encryption that intrinsically prevents someone from sniffing the values off the traffic? It seems unlikely that such a basic call is not secure. I am not a security expert and probably this is a stupid question. I am concerned specifically with domain accounts in which case somehow the LogonUser call will need to send the password to Active Directory, which could be hundred of miles away. Using Wireshark to capture traffic is very easy and if the passwords are plaintext it would be easy to capture them. 

    Kind regards

    CD


    • Edited by crbd98 Thursday, September 13, 2018 9:49 PM
    Saturday, September 8, 2018 5:00 PM
  • Hi crbd98,

    When you send the password, you could try to asymmetric algorithms encryption the password. Asymmetric algorithms require the creation of a public key and a private key. The public key can be made public to anyone, while the private key must known only by the party who will decrypt the data encrypted with the public key. 

    Best Regards,

    Wendy



    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, September 19, 2018 8:37 AM
    Moderator
  • I'm not a Windows security expert.  Having said that, i suggest you read https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication which states that Netlogon.dll - "Passes the user's credentials through a secure channel to the domain controller and returns the domain security identifiers (SIDs) and user rights for the user."

    I hope you find this helpful.

    • Marked as answer by crbd98 Thursday, September 20, 2018 4:23 AM
    Wednesday, September 19, 2018 11:16 AM
  • Hello RLWA32, 

    This is very serendipitous! I had found the same articles you recommended just hours before your reply. They are very good and go into a lot of detail describing the creation of secure channels when the machines and users log on in different scenarios (local, domain, etc.). Great stuff well worthy reading. 

    Kind regards

    CD

    Thursday, September 20, 2018 4:29 AM