Domain password global Variable

I created a module for our techstaff with functions that would query our AD server about specific information with a users login or display name as the input.

Each funtion in the module requires domain credentials for authentication. I originally had each function prompt the user before each execution, but it was requested where they would like to just be prompted once for each PowerShell session instance.

To facilitate this, I created a new function “Get-TPAdminLogon” store the credentials as a Global Variable (PSCredential object). For the duration of the session, each function in the module can then reference the $TPCred variable which contains the credentials needed to execute each function within the module.

Should I be concerned about these credentials being store in a Variable? Technically one could retrieve that with $TPCred.GetNetworkCredential().password. The functions can only be run for each technicians local workstation and also from a terminal server that only we have VPN access to.

Would I gain anything by encrypting the PSCredential Object to a file and then decrypt when needed?

function Get-TPAdminLogin
{
	try
	{
		
		if (!($TPCred))
		{
			$TPLogins = Import-Csv S:\TPModules\TPLogins.csv |
			foreach -Begin { $hash = @{ } } -Process { $hash.Add($_.key, $_.Value) } -end { $hash }
			
			$AdminLogon = $TPlogins.($env:username)
			$Global:TPCred = Get-Credential -Credential XXXXXXX\$AdminLogon
			#Test the credential to verify authenticity
			Invoke-Command -ComputerName 10.221.21.3 -ScriptBlock { $env:COMPUTERNAME } -Credential $TPCred -ErrorAction Stop | Out-Null
		}
	}
	catch
	{
		Write-Host "Something Wrong with the Credentials" -ForegroundColor Red
		$Global:TPCred = $null
		Break
	}
	finally { }	
	
}

It is always a potential risk by storing credentials somewhere. Take a look at the Export-CliXml and Import-CliXml Cmdlets, you can use these to store credentials in an encrypted xml format and can only be used by the user and computer that exported the credentials.

The Export-Clixml cmdlet encrypts credential objects by using the Windows Data Protection API. This ensures that only your user account on only that computer can decrypt the contents of the credential object. The exported CliXml file can neither be used on a different computer nor by a different user.

pwshliquori

What pwshliquori points to is a valid approach. However, there are other options / thoughts on the topic.

It’s best to look at them all, in order to properly decide which one would be the most prudent for your org and use case.

All-in-all, this is a org policy decision, between you and your risk management team as well.

Using Credential Manager in PowerShell
https://bitsofwater.com/2018/02/16/using-credential-manager-in-powershell

Using a certificate to encrypt credentials in automated PowerShell scripts
https://www.cgoosen.com/2015/02/using-a-certificate-to-encrypt-credentials-in-automated-powershell-scripts

Encrypting passwords in a PowerShell script

Securely Store Credentials on Disk
http://powershellcookbook.com/recipe/PukO/securely-store-credentials-on-disk

Quickly and securely storing your credentials – PowerShell

Using saved credentials securely in PowerShell scripts

Working with Passwords, Secure Strings and Credentials in Windows PowerShell

Want to secure credentials in Windows PowerShell Desired State Configuration?

Secure Credentials with Self-Signed Certificates for PowerShell Scripts

Saving Credentials for Office 365 PowerShell Scripts and Scheduled Tasks

How to run a PowerShell script against multiple Active Directory domains with different credential