0

I execute net user command from C# and map the network to the local computer. Below is my code:

string netUse = @"net";
string DomainUser = "Domain\User";
string parameters = "use \"" + ServerLocation + "\" " + server.Password +
    @" /USER:" + DomainUser  + @" /PERSISTENT:NO";

ProcessStartInfo psi = new ProcessStartInfo(netUse, parameters);
psi.CreateNoWindow = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);

I found that security sensor (Falcon) detected access with a plain password:

net.exe
ComandLine: "net" use "\ServerLocation\d$" Password /USER: User /Persistent:NO

FalconSecurity

My question is: Is it possible to hide password?

Bill Tür stands with Ukraine
  • 3,425
  • 30
  • 38
  • 48
Sona Ghazaryan
  • 1
  • 1
    String variable parameters shouldn't be concatenated. Use const, string.format, or StringBuilder – GH DevOps Oct 04 '21 at 13:37
  • Maybe related: [How to Map a Drive using C#?](https://stackoverflow.com/q/3465182/982149) – Fildor Oct 04 '21 at 14:19
  • If you need to authenticate and authorize for the share, you need to provide the passwod. No way around that, as far as I am aware. You could use P/Invoke to use native API, though (see link above). But _that_ also takes a password. – Fildor Oct 04 '21 at 14:22
  • @GHDevOps Thanks a lot for the reply I fix this, but as I understand it will not resolve my problem? – Sona Ghazaryan Oct 04 '21 at 14:32
  • @Fildor Thanks a lot, maybe we should use another way, such as POwerShell commands? – Sona Ghazaryan Oct 04 '21 at 14:34
  • PS commandlets will also need some sort of authentication. If putting a plain password in your code is an actual issue to you / your software, then you need to find another solution for whatever you are actually trying to do here. – Fildor Oct 04 '21 at 14:46
  • The typical way for services to authenticate is to use SSL certificates. Investigate if there is a way to do this through Active Directory. – Dour High Arch Oct 04 '21 at 16:46
  • Does this answer your question? [Starting a process with a user name and password](https://stackoverflow.com/questions/17908993/starting-a-process-with-a-user-name-and-password) – Chris Schaller Oct 05 '21 at 03:46
  • @ChrisSchaller unfortunately this does not resolve my problem. – Sona Ghazaryan Oct 05 '21 at 08:05
  • @SimonKerbos that doesn't surprise me, I'll put an answer in, basically what you are doing is a blatant security risk, doesn't matter how you wrap it, your code _needs_ a plain text password to do this. The solution is to map the drive from an elevated context, any attempt to impersonate an elevated context from code of course needs the password. Why is your app trying to map drives on behalf of another user anyway, that is itself a security black hole, no production IT Admin is going to willingly support this, not when there are specific AD, logon and group policy solutions for this. – Chris Schaller Oct 05 '21 at 14:36
  • 1
    Even if you are writing a tool designed for domain admins to use, your tool should be setting the relevant policies or logon scripts for users or groups instead of executing tasks on behalf of other users... this is clear XY issue, either accept that what you are doing is a security risk, or explain what you are actually trying to acheive and we can tell you how to achieve the same task while respecting standard windows security environment and execution context expectations. – Chris Schaller Oct 05 '21 at 14:41

0 Answers0