Prevent the installer from displaying passwords or other confidential information in the log file.
Most of us know about the article that talks about how preventing Confidential Information from Being Written into the Log File, but few more questions are raised in that area:
- Can we pass the list of properties we want to hide (e.g. MsiHiddenProperties property) using the command line (instead of changing our MSI) - Surprising the answer is NO, this has to be built inside the MSI as new property and compile it
- If we follow all the steps identified in the main article, Will the Windows Installer hide all the sensitive information we request from being written to all log lines - NO, for example if you saved the sensitive info to registry, the operation will be in the log (But than again, WHY would yo save clear text)
Another example is that if your code writes to log than you will have to manage it
as a rule of thumb, you should NEVER persist the password as clear text in any area and I would even question the need to persist it in any case, find alternative like delegation / SSO / SSH keys and other which will be more robust (cost more) and more secure
Hope this helps
Prevent the installer from displaying passwords or other confidential information in the log file.
Reviewed by Ran Davidovitz
on
8:16 PM
Rating:
No comments:
Post a Comment