Background:

When we schedule a task to connect to other servers or database, we need save the credentials into that server. Which could be a security break because if other users who have access to the same computer open the file, they can easily access those credentials.

To prevent this happen, we can encrypt our password with a key, then lock the both file with ACL. This way it has less chance to get our credential exposed.

Following is a diagram to show the concept.

Powershell

Tasks:

1. Create a user that can run scheduled tasks.

2. Create an encrypt AES Key code to encrypt password, then save it under a file.

3. Create an encrypted password, save it under another file, using the Key we generated from task 2.

4. Create a PowerShell script to load both file, then decrypt the password using Key, use the decrypted password for future tasks. i.e. connecto Azure SQL server.

5. Create a scheduled task under user we created at task 1, run the powershell script we created under task 4.

Because task 1 and task 5 are very basic steps, we will only focus on task 2-4, and break it into 2 parts. 

 

PART A - Generate credential files for password and encryption key

#1. Create AES Key
$AESkey = new-object byte[] 32
#2. Create encryption method
#[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey)
#3. Set aeskey file path
$AESKeyFilePath ="c:\batch\aeskey.txt"
#4. Save AES Key into file.
Add-Content $ AESKeyFilePath $ AESkey
#5. Set password
$password = "<yourpassword>"
#6. Convert password to string
$secureStringPwd = $password | ConvertTo-SecureString -asplaintext -force
#7. Save the file
$password = $secureStringPwd | ConvertFrom-SecureString -key $AESkey
#8. Set credential fiel path
$credentialfilepath = "c:\batch\pass.txt"
#9. Save the credential into the file
Add-Content $credentialfilepath $password

 

 

PART B - Load password from those 2 files

#1 Set username
$username = “<username>”
#2 Set key file path
$AESKeyFilePath ="c:\batch\aeskey.txt"
#3 Set password file path
$AESKeyFilePath ="c:\batch\pass.txt"
#4 Load key into $AESKey
$AESKey = Get-Content $AESKeyFilePath
#5 Load Password into $pwdTxt
$pwdTxt = Get-Content $SecurePwdFilePath
#6 Decrypt password
$securePwd = $pwdTxt | ConvertTo-SecureString -key $AESKey
#7 load username and password into a credential object
$credObject = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $securePwd

 

 

 

About Lei

I am an IT specialist with over 10 year experience - years on Automation, on-Premise or Azure.

I am happy to develop however never want be a full time developer. Only do what I have to do. If it has to be PowerShell,HTML, PHP, CSS, C#, VBS or JS, front end or backend, so be it, doesn't matter!

Spent years with Windows, SCCM, SharePoint, SQL and Exchange servers. For last several years, I have been actively working under On Premise > Azure environment.

THERE IS NO WAY BACK!!!

Current Certificates:
    Microsoft® Certified-
  • -Enterprise Administrator
  • -Database Administrator
  • -SharePoint Administrator
  • -Administering and Deploying SCCM 2012
Red Hat Certified Technician
ITIL V3 Foundation - Practitioner

Working on Azure Certificates now and hopefully they can stop upgrading their questions one day! GIVE ME A BREAK!

Contact Lei

Name *
Email *
Comments *

Traffic since 10/08/2016

Today13
Yesterday83
This week637
This month1933
Total416293

Visitor Info

  • IP: 54.221.73.186
  • Browser: Unknown
  • Browser Version:
  • Operating System: Unknown

Who Is Online

1
Online

2017-12-17

Login