[英]How can we safely store powershell credentials for script usage
I am looking for a secure means to store powershell credentials for use in a scheduled-task script but I keep running into road blocks. 我正在寻找一种安全的方法来存储Powershell凭据以用于计划任务脚本,但是我一直遇到障碍。 Windows Server 2008 environment primarily.
主要是Windows Server 2008环境。
The biggest issue I have found is that even if we throw the password out to a secureString text file and read that in later, that the credential object is inherently flawed for use as a scriptable object. 我发现的最大问题是,即使我们将密码扔到secureString文本文件中并在以后读取,该凭据对象本身也存在缺陷,无法用作脚本对象。 It provides a method that exposes clear text information.
它提供了一种公开明文信息的方法。
$credentialObject.GetNetworkCredential().password
This means that if someone has access to the system and task scheduler, they can extract the password used in my script with little trouble. 这意味着,如果有人可以访问系统和任务计划程序,那么他们可以轻松提取我的脚本中使用的密码。
Does anyone know of a way around this? 有谁知道解决这个问题的方法吗?
If you take a credential object and save it using Export-Clixml
, only the user who exported it can decrypt it, and only on the same computer. 如果您使用凭据对象并使用
Export-Clixml
保存它,则只有导出它的用户才能解密它,并且只能在同一台计算机上。
So the scheduled task also has to run as that user. 因此,计划任务也必须以该用户身份运行。
But the task has to be able to decrypt the credential to use it. 但是任务必须能够解密凭据才能使用它。 There is no way around that.
没有办法解决。 So anyone who can modify the task or modify the code that the task runs can get the credential.
因此,任何可以修改任务或修改任务运行代码的人都可以获得证书。
As @EBGreen said, setting the credentials on the scheduled task only, and not using a credential object at all, could work, but it depends on what you're trying to do, which we can't tell without code. 正如@EBGreen所说,仅在计划的任务上设置凭据,而根本不使用凭据对象也可以,但是这取决于您要执行的操作,如果没有代码,我们将无法告诉您。
You could also try to use the Windows Credential Manager. 您也可以尝试使用Windows凭据管理器。 Here's some code that seems to help with that , but I'm not familiar with this method.
这里的一些代码似乎对此有所帮助 ,但是我对这种方法并不熟悉。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.