Is storing a password in a Windows user environment variable bad practice?
https://stackoverflow.com/questions/11235918
-
17-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I recently read the the following SO question.
What's the best way to store a password or private key on a web host?
It mentions encrypted connection strings (for use in an ASP.NET app) or using the Data Protection API (DPAPI) at the time of this writing. Both seem like good solutions for this user's particular use case.
However, traditionally I've always stored sensitive configuration values like passwords and connection strings in User Environment Variables on the server(s) they are being used on. These are easy to define, change, and read (from an IT perspective). They're also easy to access regardless of the framework or language used.
The question is: Is it good practice to store sensitive data in windows user environment variables and if not, why?
EDIT:
Based on Ken's comments a pre-requisite question should be: Is the windows registry contents encrypted?
Solution
Whatever you store in the User or System Environment is stored in clear text (non-encrypted) in the NTUSER.DAT and SYSTEM registry files. They can be read not only with a hex editor, even with a simple text editor or using grep, even easier if you use one of the many tools to parse/extract data from the registry files.
Example (Windows 2008 Server, dump done with RIP Linux):
This is the Environment Variables dialog, I have set an User variable (MySecretPassword=NobodyCanReadThis) and a System variable (MySystemSecret=NobodyCanReadThisEither):
This is how it looks with hexedit from Linux, after mounting the Windows NTFS partition and looking for the NTUSER.DAT file in the Administrator directory. You can easily search for the user environment variable name and you'll find its content in clear text:
This is the SYSTEM registry file from the Windows\System32\Config directory. Again, you can easily search for the variable name. In this case, the value of the variable was several bytes after the variable name, but it was very easy to spot:
OTHER TIPS
In addition to the above answers, you can log in as a different user and use a tool such as Sysinternals Process Explorer to look at the running process. One of the tabs lists the environment variables that the process is running with including the not so secret user environment variables.
Was shocked when I saw this and have now changed to use a secured file only accessible by the user running the process.
