對這文章發表回應
發表限制: 非會員 可以發表
發表者: 冷日 發表時間: 2016/1/23 9:14:51
Working with Passwords, Secure Strings and Credentials in Windows PowerShell
Introduction
Passwords in PowerShell can be stored in a number of different forms:
String - Plain text strings. Used to store any text and of course these can store passwords too. Strings are unsecure, they are stored in memory as plain text and most cmdlets will not accept passwords in this form.
System.Security.SecureString - This type is like the usual string, but its content are encrypted in memory. It uses reversible encrypting so the password can be decrypted when needed, but only by the principal that encrypted it.
System.Management.Automation.PSCredential - PSCredential is class that is composed of username (string) and password (SecureString). This is type that most cmdlets require for specifying credentials.
Converting from one type to another is not always an obvious task. The suggested methods are as follows;
Create SecureString
Type the password in an interactive prompt
Convert from existing plaintext variable
Create PSCredentials
Assuming that you have password in SecureString form in $SecurePassword variable:
Extract password from PSCredentials
The password can be easily obtained from PSCredential object using GetNetworkCredential method:
Extract password from SecureString
If you have just simple SecureString with the password, you can construct a PSCredentials object and extract password by using the previous method. Another method is this:
Saving encrypted password to file or registry
If you need to store password for script that runs in unattended mode by scheduler or using some other ways, it possible to save it to file system or registry in encrypted form. It is like the string representation of SecureString. Only user that created this line can decrypt and use it, so when saving this value, use the same account that the script or service will use.
Converting SecureString variable to secure plain text representation
$SecureStringAsPlainText looks like this "ea32f9d30de3d3dc7fcd86a6a8f587ed9" (actually longer) and can be easily stored in file, registry property or any other storage. When script will need to obtain secure string object it can be done this way:
Best Practices
Where possible do not ask for passwords and try to use integrated Windows authentication.
When it is not possible or when specifying different credentials is useful, cmdlets should accept passwords only in the form of PSCredentials or (if username is not needed) as SecureString, but not plain text.
If you need to ask user for credential, use Get-Credential cmdlet. It uses a standard Windows function to receive password in consistent and secure manner without storing it in memory as clear text.
Credentials should be passed to external system also in most secure way possible, ideally as PSCredentials too.
Password should not be saved to disk, registry or other not protected storage as plain text. Use plaintext representation of SecureString when possible.
TechNet Gallery
https://gallery.technet.microsoft.com/Execute-PowerShell-Script-38881dce
原文出處:Working with Passwords, Secure Strings and Credentials in Windows PowerShell - TechNet Articles - United States (English) - TechNet Wiki
Introduction
Passwords in PowerShell can be stored in a number of different forms:
String - Plain text strings. Used to store any text and of course these can store passwords too. Strings are unsecure, they are stored in memory as plain text and most cmdlets will not accept passwords in this form.
System.Security.SecureString - This type is like the usual string, but its content are encrypted in memory. It uses reversible encrypting so the password can be decrypted when needed, but only by the principal that encrypted it.
System.Management.Automation.PSCredential - PSCredential is class that is composed of username (string) and password (SecureString). This is type that most cmdlets require for specifying credentials.
Converting from one type to another is not always an obvious task. The suggested methods are as follows;
Create SecureString
Type the password in an interactive prompt
$SecurePassword = Read-Host -Prompt "Enter password" -AsSecureString
Convert from existing plaintext variable
$PlainPassword = "P@ssw0rd"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
Create PSCredentials
Assuming that you have password in SecureString form in $SecurePassword variable:
$UserName = "Domain\User"
$Credentials = New-Object System.Management.Automation.PSCredential `
-ArgumentList $UserName, $SecurePassword
Extract password from PSCredentials
The password can be easily obtained from PSCredential object using GetNetworkCredential method:
$PlainPassword = $Credentials.GetNetworkCredential().Password
Extract password from SecureString
If you have just simple SecureString with the password, you can construct a PSCredentials object and extract password by using the previous method. Another method is this:
$BSTR = `
[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
Saving encrypted password to file or registry
If you need to store password for script that runs in unattended mode by scheduler or using some other ways, it possible to save it to file system or registry in encrypted form. It is like the string representation of SecureString. Only user that created this line can decrypt and use it, so when saving this value, use the same account that the script or service will use.
Converting SecureString variable to secure plain text representation
$SecureStringAsPlainText = $SecurePassword | ConvertFrom-SecureString
$SecureStringAsPlainText looks like this "ea32f9d30de3d3dc7fcd86a6a8f587ed9" (actually longer) and can be easily stored in file, registry property or any other storage. When script will need to obtain secure string object it can be done this way:
$SecureString = $SecureStringAsPlainText | ConvertTo-SecureString
Best Practices
Where possible do not ask for passwords and try to use integrated Windows authentication.
When it is not possible or when specifying different credentials is useful, cmdlets should accept passwords only in the form of PSCredentials or (if username is not needed) as SecureString, but not plain text.
If you need to ask user for credential, use Get-Credential cmdlet. It uses a standard Windows function to receive password in consistent and secure manner without storing it in memory as clear text.
Credentials should be passed to external system also in most secure way possible, ideally as PSCredentials too.
Password should not be saved to disk, registry or other not protected storage as plain text. Use plaintext representation of SecureString when possible.
TechNet Gallery
https://gallery.technet.microsoft.com/Execute-PowerShell-Script-38881dce
原文出處:Working with Passwords, Secure Strings and Credentials in Windows PowerShell - TechNet Articles - United States (English) - TechNet Wiki