Encrypted Credentials in Push mode on Windows 7

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 2 years, 10 months ago.

  • Author
    Posts
  • #16057
    Profile photo of Jay Spang
    Jay Spang
    Participant

    I'm trying to use DSC to maintain configuration on a handful of shared servers. My plan is to put my DSC scripts into Source Control so anyone on my team can edit the configuration and 'push' it from their own workstation. All the workstations as well as the servers themselves (the nodes) are running Windows 7.

    Everything works great now, but my problem is that it puts my domain password in plain-text in the MOF file. I don't anticipate ever checking those files into source control, but my teammates aren't happy about code that puts their passwords into a plain-text file.

    I looked into a few options. This page gives instructions, but it uses the 'Export-Certificate' function, which doesn't seem to be available on Win7. It also seems like I could set DSC to run locally on the node (in Pull mode), but I don't have anywhere to set up a Pull server.

    So, are there any simple methods to encrypt my credentials so they're not stored in clear text? Here's my code right now, which works great (aside from the aforementioned storing of passwords in clear text in the MOF).

    
    $ConfigurationData = @{
        AllNodes = @(
            @{
                NodeName = "*" # Settings that apply to all nodes
                PSDscAllowPlainTextPassword=$true
             }			 
        )
    }
    
    Configuration ManagedServers
    {
        param (
            [Parameter(Mandatory = $true)] [PSCredential] $Credential
        )
    	
        Node $AllNodes
        {
            Group Administrators
            {
                GroupName = "Administrators"
                Ensure = "Present"
                Members = "DOMAIN\User"
                Credential = $Credential
            }
        }
    }
    
    ManagedServers -ConfigurationData $ConfigurationData -Credential (Get-Credential)
    
  • #16058
    Profile photo of Don Jones
    Don Jones
    Keymaster

    I thought we'd covered this in The DSC Book, was it not? You need to include the certificate thumbprint that the node will use to decrypt the credentials – meaning the certificate itself must be pre-deployed. It works the same as if the config is coming from a pull server. And don't forget that a pull server can also just be a file server; you don't need to go the web server route, if that helps.

  • #16059
    Profile photo of Jay Spang
    Jay Spang
    Participant

    Which method do you advise? Setting up a Pull server from a UNC share (I hope I don't need admin access to the file server since I hope to use our company's shared network-store) or pre-deploying some certificates?

    I have not read the DSC Book, but I'll check it out when I get home tonight (my company blocks onedrive.live.com, I'm afraid).

  • #16060
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Well, two different things.

    Thing 1, you said you can't have a Pull Server; a Pull Server can just be a file server if that makes the decision to use Pull a little easier.

    Thing 2, you have to pre-deploy certs if you're going to encrypt credentials. They don't come from the pull server per se. Not magically, at least, like resource modules can.

    But I think the DSC book shows the syntax where the cert thumbprint goes, if not an explicit example.

You must be logged in to reply to this topic.