Hi,
I was reading this article of the Hey, Scripting Guy! (Decrypt PowerShell Secure String Password - Scripting Blog) and I was thinking…
I’m using the Get-Credential cmdlet for my scripts on Office 365 to login to the services. Like this:
$O365Cred = Get-Credential $Mail -Message “Office 365 credentials”
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $O365Cred -Authentication Basic -AllowRedirection
But what about if someone adds this line on the script?
$O365cred.GetNetworkCredential().Password | Out-File C:\Temp\Credential.txt
Then I saw another command:
$SecurePassword = Read-Host “Type your password” -AsSecureString
In this way, no one can easily read it, right?
My question is: How bad is it to use Get-Credential on scripts for security?
Anytime you store the credentials for use in the script there is a risk that they could be captured and exposed in a manner that would lead to a compromise. But in order to do so the script would need to be modified. (more on that in a bit)
In general it is considered a good thing to prompt for credentials with get-credential rather than building your own prompt. A Secure String is just as easily converted to plain text. Some people will use a certificate to encrypt the password, But in order to run the script that uses it you must have access to the cert with the private key that can decrypt the password and once it stored in memory it can be exposed.
My recommendation would be to use get-credential in your script. Sign the script to protect it from modification. Place it in a location with access controls that only allow the appropriate people to access it to execute it and limit the people with access to change the file.
Hope this helps
Jonathan Warnken,
Will keep using Get-Credential cmdlet and will look forward to sign my scripts.
Thanks for your time and analysis!
I like to store them in xml. Only the user who generated the credential can use them on the computer they were generated on.
get-credential | export-clixml creds.xml.
The “GetNetworkCredential().Password” method only works for the user that created the credential. This is due to the fact that the credential is encrypted using a personal cert. The only person who can issue this command and view the password is someone who has already decrypted the credential.
For example, most people use the method of exporting to an XML file. If you were to copy that file and attempt to use it under another security context than the one that created it (ie a different Windows account), you would not be able to.
I would say this is secure enough for most people. As Jonathon said, protect access to that stored credential, and to take it a step further, sign your script.