Credential storage best practices

Question

I'm writing a Windows service and need to make authenticated web requests. The service will not be running under the ownership of the credentials used to make the request; this implies that I need to store the credentials for the request in some way.

What are the best practices here? The credentials will need to be stored in App.config (or an analog); I'd rather not have the password hanging out in plain text. As passwords change frequently, building or otherwise baking in the password to the binary is not an option.

The same question applies for Powershell. I need to make authenticated requests, but I don't want the script to contain in a plain-text form the credentials used for the requests.

Answer 1

Can't take the credit for the answer: But here's a blog post called "Encrypting Passwords in .NET App Config" With full code included.

http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx

Answer 2

I always refer to Keith Brown's "The .NET Developer's Guide to Windows Security" book for stuff like this.

The complete text is online at http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook.HomePage

The specific section you want (on storing secrets) is at http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToStoreSecretsOnAMachine.html