PowerShell Net Use vs New-PSDrive

Welcome Forums General PowerShell Q&A PowerShell Net Use vs New-PSDrive

Viewing 2 reply threads
  • Author
    Posts
    • #190675
      Participant
      Topics: 1
      Replies: 1
      Points: 15
      Rank: Member

      Each night I connect from my 2016 Server to a Synology NAS via New-PSDrive to copy nightly backup from the Server to the Synology and this has worked with any issues until a few days ago.

      I won't go into the details of all the things that went wrong in a single day to allow this to happen, but some malware got onto the server and was beginning to encrypt the files.  It just so happened by backup script ran, mapped the drive to the Synology and then those files were being encrypted.

      In my limited understanding of how these things work, I'm guessing since my backup script mapped the drive, the malware just saw it as another folder and began doing it thing.

      In my research I can across an article that says I can use Net Use command to use the UNC Path without having to assign a drive letter.  The command I run inside PowerShell is net use \\30.0.0.2\homes\[folder] /user:[user] [password]

      Once I run the above code I can access the Synology folder to copy my files.  Before it was Z:\Backups and now it's \\30.0.0.2\homes\Backups.  This works for me and I can update my script to use the UNC were needed.  After I ran the net use command I checked explorer and didn't see any signs of a new drive or folder (on the Synology).

      So my question is would this change protect the files on the Synology if this were to happen again down the road?  Does anyone know of any Consultants in the Raleigh, NC area?

    • #190888
      Participant
      Topics: 10
      Replies: 116
      Points: 451
      Helping Hand
      Rank: Contributor

      Yes, you could use the net use command as per your post but there's really no perfect protection against any zero day, hence, all the alternatives we attempt 🙂

      You can store the password in a text file as an encrypted string. The in the script, convert the encrypted string back to a secure string, and then to plain text for use by net use. Keep in mind that the account running the script must be the same one that created the secure/encrypted string.

      Store password as encrypted string in file:

      'SomePasswordForNAS' |
          ConvertTo-SecureString -AsPlainText -Force |
          ConvertFrom-SecureString |
          Out-File EncryptedString.txt

      Then in script:

      $encryptedString = Get-Content -Path EncryptedString.txt | ConvertTo-SecureString
      $bstr            = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($encryptedString)
      $password        = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
      
      net use \\30.0.0.2\homes\Backups /user:domain\user $password
      
      ... # transfer backups
      
      net use \\30.0.0.2\homes\Backups /delete

      Though, outside the scope of this forum, I recommend looking into the proactive security measures of a PAW implementation. The closer it is practiced, the smaller attack surface and better protection you'll have.

    • #190906
      Participant
      Topics: 1
      Replies: 1
      Points: 15
      Rank: Member

      Aaron,

      Thanks for help and insight.  I must admit my head is still spinning a bit and realize this is a game of least exposure.  Backups, Backups, Backups...

      Thanks again,
      Kevin

Viewing 2 reply threads
  • You must be logged in to reply to this topic.