feature(secret-rotation): windows local account secret rotation

[victorvhs017]

Context

This PR implements Windows Local Account secret rotation using SMB/RPC. This is done using the samba-client package in the image due to the lack of native support in the Node.js ecosystem.

Key changes:

• Added new Windows (SMB) App Connection for connecting to Windows servers via SMB3 with encryption
• Implemented Windows Local Account rotation using rpcclient to change passwords via SMB/RPC
• Created secure credential handling using temporary authentication files (avoiding command-line exposure)
• Added username validation to prevent command injection (max 20 chars, Windows-compliant character set)
• Updated all 5 Dockerfiles to include samba-client package
• Added comprehensive documentation for the Windows connection and rotation

Steps to verify the change

Windows App Connection

• Create an app connection with and without a custom gateway
• Create an app connection for an account inside a Windows AD domain
• Create an app connection on port 445 and on a custom port
• Create an app connection through the API

Windows Secret Rotation

• Create a secret rotation for each of the connections above
• Create a secret rotation through the API
• Create a secret rotation logging as root and as target
• Test the secret rotation reconcile function

Documentation

• Review the Windows App Connection documentation
• Review the Windows Secret Rotation documentation

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR implements Windows Local Account secret rotation using SMB/RPC protocol, adding a new app connection type and rotation provider. The implementation follows secure coding practices with comprehensive input validation and proper credential handling.

Key Changes

• Added Windows (SMB) app connection with SMB3 encryption support
• Implemented Windows local account password rotation via rpcclient
• Created centralized SMB validation utilities preventing command injection
• Added temporary authentication files with restrictive permissions (0o600) to avoid command-line credential exposure
• Integrated dangerous character filtering for passwords (blocks ; | & \ $ ( )` and newlines)
• Added reconcile functionality for out-of-sync credentials
• Updated all 5 Dockerfiles to include samba-client package
• Comprehensive documentation for both connection and rotation

Security Strengths

• Uses RE2 regex throughout to prevent ReDoS attacks
• Validates all user inputs (hostnames, domains, usernames, passwords) before use
• Blocks local/private IP addresses for SSRF protection (when not using gateway)
• Temporary auth files with owner-only permissions
• Proper cleanup of auth files in finally blocks
• Gateway proxy support for network isolation
• Single-quote escaping for RPC password handling

Critical Issue Found

• Missing privileged account protection: Unlike Unix rotation which blocks root/admin/administrator/sudo, this allows rotating built-in Windows privileged accounts like Administrator, potentially causing denial of service

Confidence Score: 4/5

• This PR is generally safe to merge with one critical security issue that should be addressed
• Score reflects strong security practices (RE2 regex, input validation, SSRF protection, secure credential handling) but deducted one point for missing privileged account protection that could allow rotating built-in Administrator accounts. The Unix/Linux rotation implementation correctly blocks privileged accounts, but Windows implementation lacks this safeguard.
• backend/src/ee/services/secret-rotation-v2/windows-local-account-rotation/windows-local-account-rotation-fns.ts requires attention to add privileged account blocking

Important Files Changed

Filename	Overview
backend/src/lib/smb-rpc/smb-rpc-client.ts	Implements SMB RPC client with strong input validation, authentication file handling, and RE2 regex usage
backend/src/lib/validator/validate-smb.ts	Defines centralized SMB validation utilities with character validators and dangerous character blocking
backend/src/ee/services/secret-rotation-v2/windows-local-account-rotation/windows-local-account-rotation-fns.ts	Implements Windows password rotation with self-rotation and admin-managed modes, includes credential verification
backend/src/services/app-connection/smb/smb-connection-fns.ts	Implements SMB connection validation with gateway support and IP address blocking for SSRF protection
backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts	Integrates Windows rotation factory and extends reconcile function to support both Unix and Windows account rotations

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[akhilmhdh]

Doing an application test shortly

[victorvhs017]

@greptileai re-review this PR and update the summary

[greptile-apps]

_{5 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}