我们如何安全地存储Powershell凭据以供脚本使用

Question

I am looking for a secure means to store powershell credentials for use in a scheduled-task script but I keep running into road blocks. Windows Server 2008 environment primarily.

The biggest issue I have found is that even if we throw the password out to a secureString text file and read that in later, that the credential object is inherently flawed for use as a scriptable object. It provides a method that exposes clear text information.

$credentialObject.GetNetworkCredential().password

This means that if someone has access to the system and task scheduler, they can extract the password used in my script with little trouble.

Does anyone know of a way around this?

Answer 1

If you take a credential object and save it using Export-Clixml , only the user who exported it can decrypt it, and only on the same computer.

So the scheduled task also has to run as that user.

But the task has to be able to decrypt the credential to use it. There is no way around that. So anyone who can modify the task or modify the code that the task runs can get the credential.

As @EBGreen said, setting the credentials on the scheduled task only, and not using a credential object at all, could work, but it depends on what you're trying to do, which we can't tell without code.

You could also try to use the Windows Credential Manager. Here's some code that seems to help with that , but I'm not familiar with this method.