The greatest challenge to any thinker is stating the problem in a way that will allow a solution

Bertrand Russell

By

On 6 Sep 2011

PowerShell

Tags: ,


Being able to supply appropriate security credentials are a necessary obstacle in today’s security conscious world of IT. When I first started, many moons ago, the systems I managed all had the same (dictionary word) password to the (un-renamed) local Administrator account, you didn’t lock your PC, have to change your password, or have to worry about not being a domain admin on every system by default.

PowerShell scripts inherit the rights of the user that start them, which is normally all well and good if the script only need to run and access local resources, but as it needs to access any remote resources the chances of having to supply credentials grows rapidly.

Credentials are represented by a PSCredentials object , this can then be supplied to a CmdLet that requires it…

Get-Credential

$cred = Get-Credential
Get-WMIObject -query "SELECT * FROM Win32_OperatingSystem" -Credential $cred -Computer 192.168.1.12

Get-Credential asks you to supply your credentials interactively, which is obviously useless for scripting, but OK when doing some manual tinkering.

Supplying Credentials

In order to create a Credentials object on the fly, you need to be able to supply the appropriate info. This means you need to have your username and password available, probably in an insecure fashion. This might not bother you if you’re accessing an internal low security system with a read-only account, but you should be aware that it is insecure. You can’t just create a PSCredential object using a plain text username and password, that would make it too easy (to be insecure), you have to convert your password into a secure string…

$username = "MyUsername"
$password = "MyPassword"
$SecPass = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $username,$SecPass
$wmiobj = Get-WMIObject -Query "SELECT * FROM Win32_BIOS" -Credential $cred -Computer 192.168.1.12

Secure Password Store

If you need to use a set of credentials that you need to keep secure, then this is the way to it (I didn’t work this out myself, I adapted it from this page on BSonPoSH). It ensures that your password is securely saved to a file, from where it can be readily recalled.

The first stage is to create the password file…

$Credential = Get-Credential
$credential.Password | ConvertFrom-SecureString | Set-Content "Pass.fil"

Note that whatever you use for a username above gets ignored, and also that the ConvertFrom-SecureString converts to an encrypted string so the contents of your file is secure.

Then you can use this in a script, the $cred is a standard PSCredential object.

$pass = Get-Content "Pass.fil" | ConvertTo-SecureString
$cred = New-Object System.Management.Automation.PsCredential("MyUsername",$pass)

A more elaborate solution, where both user and pass get saved…

# Check for credential files, create if required
if (!(Test-Path $UserFile) -or !(Test-Path $PassFile)) {
    Write-Host "Credential files not found"
    $cred = Get-Credential -Credential ($env:userdomain + "" + $env:username)
    $cred.UserName | Set-Content $UserFile -Force
    $cred.Password | ConvertFrom-SecureString | Set-Content $PassFile -Force
    Write-Host "Credentials saved"
}
 
# Load password credential from encrypted file
$pass = Get-Content $PassFile | ConvertTo-SecureString
$user = Get-Content $UserFile
$cred = New-Object System.Management.Automation.PsCredential($user, $pass)

Leave a Reply

XHTML: You can use these tags if you know what they are: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

ERROR: si-captcha.php plugin says GD image support not detected in PHP!

Contact your web host and ask them why GD image support is not enabled for PHP.

ERROR: si-captcha.php plugin says imagepng function not detected in PHP!

Contact your web host and ask them why imagepng function is not enabled for PHP.