CUGC Blogs

Have PowerShell Keep Your Confidential Information … Confidential!

By Sam Jacobs posted 09-10-2019 09:53 AM

  

Have PowerShell Keep Your Confidential Information…Confidential!


As an IT professional, you have no doubt needed to run processes with elevated privileges. PowerShell makes it quite easy with the Get-Credential cmdlet:


$creds = Get-Credential

This pops up a window for you to securely enter your credentials:

Get-Credential-1.png

You can then use the credentials in cmdlets that support the -Credential parameter. So, if I wanted to connect to a DDC to get a list of all Citrix sessions, I might do something similar to the following:

$sessions = Invoke-Command -ComputerName CitrixDDC01 -Credential $creds -ScriptBlock {

       Add-PSSnapin Citrix*

       @(Get-BrokerSession)

}

 

What if I wanted to create an automated script to retrieve sessions multiple times during the day (and maybe night)? I may not want to remain up until 3 AM to run the above script. PowerShell’s got you covered there, as well, with a way to securely save your credentials.

# Securely store user credentials

$creds = Get-Credential

$pwLocation = "C:\PowerShell\Credentials\securePW.txt"

$creds.Password | ConvertFrom-SecureString | Set-Content $pwLocation

 

The above snippet will securely encrypt your password and store it in the specified location. This only needs to be done once, and then the above credentials can be used in any number of scripts by simply adding the following:

 

$userName = "username specified above"

$pwLocation = "C:\PowerShell\Credentials\securePW.txt"

$securePW = Get-Content $pwLocation | ConvertTo-SecureString

$creds        = New-object System.Management.Automation.PSCredential($userName,$securePW)

 

Now, if you’re a Network Security admin, you may be wondering “How secure is that? What happens if someone gets hold of the file with the encrypted password? They now have the keys to all your scripts!” Not to worry. The file is encrypted using your security context. This simply means that only you can decrypt the secure file. If someone else tries to copy and use the file, it would be totally useless.

 

It’s not just for passwords anymore!

 

I am constantly giving demos of PowerShell scripts, and some of them, in addition to passwords, may contain other confidential information. For example, database connection strings, or even the names of servers, such as the name of the DDC in the example above. Get-Credential can be used for these as well.

 

# Securely store DDC name

$SecureDDC = Get-Credential

$ddcLocation = "C:\PowerShell\Credentials\secureDDC.txt"

$SecureDDC.Password | ConvertFrom-SecureString | Set-Content $ddcLocation


Get-Credential-2.png
Again, the above need only be done once. I can then securely retrieve the name of my DDC without showing it in scripts with the following:

 

$DDCName = "SecureDDC"

$ddcLocation = "C:\PowerShell\Credentials\secureDDC.txt"

$encryptedDDC = Get-Content $ddcLocation | ConvertTo-SecureString

$secureDDC  = New-object System.Management.Automation.PSCredential($DDCName,$encryptedDDC)

$DDC  = $secureDDC.GetNetworkCredential().Password

 

$sessions = Invoke-Command -ComputerName $DDC  …

 

REMINDER: If you plan to use Task Scheduler to run your script, make sure that you run the task under the same context used to create the encrypted string. Otherwise, the secured string returned will be blank!

Sam Jacobs is the Director of Technology Development at IPM, the longest standing Citrix Platinum Partner on the East Coast. With more than 30 years of IT consulting, Sam is a Citrix NetScaler, StoreFront, and Web Interface customization and integration expert, and holds Microsoft MCSD, Citrix CCP-N, and ShareFile certifications. He has presented advanced Web Interface and NetScaler customization sessions at BriForum, and has led breakout sessions at Citrix Synergy 2013-2018 on StoreFront and NetScaler. He is one of the top Citrix Support Forum contributors, and has earned industry praise for the tools he has developed to make Web Interface, StoreFront, and NetScaler easier to manage for administrators and more intuitive for end users. Sam became a Citrix Technology Professional (CTP) in 2015 and may be reached at sam.jacobs@ipm.com or on Twitter at: @WIGuru.


#PowerShell

Comments

09-25-2019 01:51 AM

@Jamie Allyn

If you would like to share the encrypted password among users, you can use AES (Advanced Encryption Standard). Here is an example of how to use it (it is quite similar to the above):
https://www.virtualtothecore.com/encrypt-passwords-in-powershell-scripts/

However, since it is a symmetric algorithm (the same key that can encrypt can also decrypt), if a user has both the password file as well as the AES key, they have a way to get to the password in plain text.​

09-19-2019 02:10 PM

Unfortunately Sam notes that the encrypted password can only be retrieved within the same context in which it was generated, so multiple users would not be able to leverage the same set of credentials with this solution.

I'd love to hear others' methods for securely storing PS credentials in a method where multiple people can use them without seeing them! The best I can do is use some obfuscation in my variable creation and hide parts of the creds in different files... but any curious script debugger would have them translated in minutes.

09-17-2019 02:00 PM

Very useful pieces of information and also advantageous if multiple individuals need to run such scripts and need access to the credentials without having to embed such information in the scripts themselves.