- August 10, 2016 at 3:57 pm #49867
Hello, I'm doing some work with exchange and I need to put a plaintext password in the file...
I know this inst really a best practice but i'm not sure there is a way around it.
Is there a way to pre-encrypt the password to gibberish and then just reconstruct it to plaintext pass when it is being passed?
$password = "123413434afasfdaf;kj;3143143143" $s.Credentials = New-Object Net.NetworkCredential([email protected]', (convert-passwordback $password)
Full code below:
Add-Type -Path "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll" $s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2013_SP1) $s.Credentials = New-Object Net.NetworkCredential([email protected]', 'plaintextpass') $s.Url = new-object Uri("https://mail.domain.com/ews/exchange.asmx") $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)August 10, 2016 at 4:01 pm #49869
You'd want to encrypt the password in your file, and decrypt it when the script runs. How you do this, exactly, depends on who needs to be able to run the script. (Or in other words, who has the key that is able to decrypt the password?)
If you're the one running the script, it's very easy. Just create a PSCredential object with the Get-Credential cmdlet, then pipe it to Export-Clixml. PowerShell will automatically encrypt the password for you, and when you use Import-Clixml later to load that file up from disk, you'll have a credential object again (with the correct password.) The encryption key used for that file is part of your user profile (the Windows Data Protection API, if you're curious and want to read up on how that all works.) That means that other users won't be able to decrypt the password, nor will you be able to decrypt it on another computer in most cases.
If you need to share the password with other users, the best approach is to use certificates. Each user can have their own cert (which contains a private key), and you can encrypt your password using multiple certificates so that each authorized user is able to read it. PowerShell v5 added some new commands to help with this: Protect-CmsMessage and Unprotect-CmsMessage. If you need to use older version of PowerShell instead, I've got a module called ProtectedData which works much the same way (with Protect-Data and Unprotect-Data commands, uses certificates.)
I gave a presentation on this topic at the PowerShell summit a year or so ago: https://youtu.be/Ta2hQHVKauoAugust 10, 2016 at 4:51 pm #49882
Before I research this, I should have said this script will run under my user as a scheduled task.
Is your method still viable for this?
And thanks for your prompt response!August 10, 2016 at 5:15 pm #49884
Yep, as long as the scheduled task executes as your account, you should be fine. 🙂August 10, 2016 at 6:22 pm #49886
Wow Dave, things finally got slow here and I was able to thoughtfully read your post and follow it...
This is such an amazing technique! It's easy, and actually secure! Thanks again for the great tip, this is one of my new favorite powershell methods and committed to memory!
You must be logged in to reply to this topic.