Need security tips asking for credentials on a script

This topic contains 4 replies, has 4 voices, and was last updated by Profile photo of Steve Flowers Steve Flowers 6 months ago.

  • Author
    Posts
  • #41684
    Profile photo of Vandrey Trindade
    Vandrey Trindade
    Participant

    Hi,

    I was reading this article of the Hey, Scripting Guy! (https://blogs.technet.microsoft.com/heyscriptingguy/2013/03/26/decrypt-powershell-secure-string-password/) and I was thinking...
    I'm using the Get-Credential cmdlet for my scripts on Office 365 to login to the services. Like this:

    $O365Cred = Get-Credential $Mail -Message "Office 365 credentials"
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $O365Cred -Authentication Basic -AllowRedirection

    But what about if someone adds this line on the script?

    $O365cred.GetNetworkCredential().Password | Out-File C:\Temp\Credential.txt

    Then I saw another command:

    $SecurePassword = Read-Host "Type your password" -AsSecureString

    In this way, no one can easily read it, right?

    My question is: How bad is it to use Get-Credential on scripts for security?

  • #41686
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    Anytime you store the credentials for use in the script there is a risk that they could be captured and exposed in a manner that would lead to a compromise. But in order to do so the script would need to be modified. (more on that in a bit)
    In general it is considered a good thing to prompt for credentials with get-credential rather than building your own prompt. A Secure String is just as easily converted to plain text. Some people will use a certificate to encrypt the password, But in order to run the script that uses it you must have access to the cert with the private key that can decrypt the password and once it stored in memory it can be exposed.

    My recommendation would be to use get-credential in your script. Sign the script to protect it from modification. Place it in a location with access controls that only allow the appropriate people to access it to execute it and limit the people with access to change the file.

    Hope this helps

  • #41839
    Profile photo of Vandrey Trindade
    Vandrey Trindade
    Participant

    Jonathan Warnken,

    Will keep using Get-Credential cmdlet and will look forward to sign my scripts.
    Thanks for your time and analysis!

  • #41859
    Profile photo of Dan Potter
    Dan Potter
    Participant

    I like to store them in xml. Only the user who generated the credential can use them on the computer they were generated on.

    get-credential | export-clixml creds.xml.

  • #41938
    Profile photo of Steve Flowers
    Steve Flowers
    Participant

    The "GetNetworkCredential().Password" method only works for the user that created the credential. This is due to the fact that the credential is encrypted using a personal cert. The only person who can issue this command and view the password is someone who has already decrypted the credential.

    For example, most people use the method of exporting to an XML file. If you were to copy that file and attempt to use it under another security context than the one that created it (ie a different Windows account), you would not be able to.

    I would say this is secure enough for most people. As Jonathon said, protect access to that stored credential, and to take it a step further, sign your script.

You must be logged in to reply to this topic.