Password in File

This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of ertuu85 ertuu85 1 month, 3 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #49867
    Profile photo of ertuu85
    ertuu85
    Participant

    Hello, I'm doing some work with exchange and I need to put a plaintext password in the file...

    I know this inst really a best practice but i'm not sure there is a way around it.

    Is there a way to pre-encrypt the password to gibberish and then just reconstruct it to plaintext pass when it is being passed?

    Such as..

    $password = "123413434afasfdaf;kj;3143143143"
    $s.Credentials = New-Object Net.NetworkCredential([email protected]', (convert-passwordback $password)
    

    Full code below:

    Add-Type -Path "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
    
    $s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2013_SP1)
    $s.Credentials = New-Object Net.NetworkCredential([email protected]', 'plaintextpass')
    $s.Url = new-object Uri("https://mail.domain.com/ews/exchange.asmx")
    
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    
    #49869
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    You'd want to encrypt the password in your file, and decrypt it when the script runs. How you do this, exactly, depends on who needs to be able to run the script. (Or in other words, who has the key that is able to decrypt the password?)

    If you're the one running the script, it's very easy. Just create a PSCredential object with the Get-Credential cmdlet, then pipe it to Export-Clixml. PowerShell will automatically encrypt the password for you, and when you use Import-Clixml later to load that file up from disk, you'll have a credential object again (with the correct password.) The encryption key used for that file is part of your user profile (the Windows Data Protection API, if you're curious and want to read up on how that all works.) That means that other users won't be able to decrypt the password, nor will you be able to decrypt it on another computer in most cases.

    If you need to share the password with other users, the best approach is to use certificates. Each user can have their own cert (which contains a private key), and you can encrypt your password using multiple certificates so that each authorized user is able to read it. PowerShell v5 added some new commands to help with this: Protect-CmsMessage and Unprotect-CmsMessage. If you need to use older version of PowerShell instead, I've got a module called ProtectedData which works much the same way (with Protect-Data and Unprotect-Data commands, uses certificates.)

    I gave a presentation on this topic at the PowerShell summit a year or so ago: https://youtu.be/Ta2hQHVKauo

    #49882
    Profile photo of ertuu85
    ertuu85
    Participant

    Before I research this, I should have said this script will run under my user as a scheduled task.
    Is your method still viable for this?

    And thanks for your prompt response!

    #49884
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Yep, as long as the scheduled task executes as your account, you should be fine. 🙂

    #49886
    Profile photo of ertuu85
    ertuu85
    Participant

    Wow Dave, things finally got slow here and I was able to thoughtfully read your post and follow it...

    This is such an amazing technique! It's easy, and actually secure! Thanks again for the great tip, this is one of my new favorite powershell methods and committed to memory!

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.