Security Basics mailing list archives
dpapi security considerations
From: Ingeniero Arellano <arellanobmsc () gmail com>
Date: Wed, 3 Mar 2010 16:57:48 -0400
Hello, I am evaluating the use of Windows DPAPI to store database connection strings. 1. What are the implications of virtualized servers which are cloned for backup.. does access to the backup machine basically make the administrator level access easily obtainable, and thus a simple DPAPI.Decrypt command on the registry key to find the strings? 2. Is it useful to enforce the use of a non-null pseudo-random "secondary entropy" parameter such as a phrase made-up by the developer? Is it better practice to store this in code (which can be decompiled so easily) or in an obfuscated registry key? 3. Can Registry key permissions (DACL) provide a way to disallow access to the cyphertext even if the machine=B4s Admin account has been compromised? 4. Unrelated, is there anything similar to DPAPI for Linux? I've seen replies to this that anybody can write a key-management daemon but is there one out there that has a high level of developer acceptance and a simple API? In a nutshell, is DPAPI only as safe as the Administrators/Users password or can secondary entropy and registry permissions create a meaningfull additional layer of security for the stored secrets? I don't think we can use passwords since there is no manual intervention. Thanks, Eric ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- dpapi security considerations Ingeniero Arellano (Mar 04)