Storing encrypted password Powershell

Question

I am having challenge with one of my Powershell scripts. The idea is to run a tool from a client, which will kill some processes using the PID. Proof of concept works - ps1 script is converted to exe (PS2GUI) and the tool is successfully killing the PID of the user on the server.

$credentials = New-Object System.Management.Automation.PsCredential("domain\user",$password)

$scriptBlockSQL = {
sqlplus.exe command
}

Invoke-Command -ComputerName "server" -Credential $credentials -scriptBlock $scriptBlockSQL

However I have a bit of a problem, because I currently store the password in the script as clear text which is very unsafe - since the.exe can be decompiled in less than a few seconds.

I have tried the ConvertTo-SecureString with the encrypted string, however this ties it with the user account & pc - which is not an option. The usage of the Key file is also not an option.

Do you have any suggestion how to make the script safer & usable? Or any other solution which will work in the same way?

Thanks!

Answer 1

Well, when you are encrypting password with a SecureString then you have to define the password somewhere in the code or in another file. So this is not a good idea. Then you have to look for a way to protect script source code in an efficient way.

PS2GUI will encrypt your source code in a reversible encryption, that means when the script is ran by powershell, the engine will decrypt the code. It is also weak because of using symmetric key algorithm.

Powershell scripts are also encrypted in Base64 format, and PS2GUI does the quite same like thing.

The best way I think now is to prompt the user for credentials. Like this:

$password = Read-Host "Enter password" -AsSecureString