Manage credentials securely with password servers – Integration of ScriptRunner and Pleasant
Author: Daniel Finkenzeller, Consultant | Reading time: 3 minutes | Category: Automation, PowerShell & Systems
Introduction
Since version 2018R3 ScriptRunner can also request the credentials to run PowerShell from password servers. This is especially useful in an enterprise environment and increases security when using PowerShell.
Most password servers are designed so that systems (if they do not support Managed Service Accounts) are set up so that the password server changes the password in Active Directory. Subsequently, the service under which the account runs will also be set up. Of course, this is only an auxiliary solution, but it is still today’s way for many systems.
Therefore, many ScriptRunner customers asked for the integration of password servers. Starting from the version ScriptRunner 2018R3 this wish was realized. I had such a customer and therefore took a closer look at this new feature. Of course, I was particularly interested in the user administration and the structure of the connectors.
But let’s start with the simple part. First we take a look at the password server to understand what exactly is possible with it.
Example: Pleasant Password Server
As an example I have looked at the Pleasant password server. ScriptRunner also supports the password servers of CyberArk and Thycotic.
The more complicated a password is, the more secure it is, but also more difficult to remember. Many companies therefore use tools such as KeePass, in which all passwords are stored. Here you only have to remember the master password. Alternatively, a password-protected Excel file with the passwords can be found on a network drive – all in all not really nice, and also not very secure. A password server is a great solution for storing passwords securely, encrypted and centrally. But one should still play through the thought from beginning to end. A password server is not really secure as long as the local admin has full access to the database, is authorized in the application and the password of the local admin is „Admin1234” as well.
Pleasant has developed a password server for this purpose. This server is used by many companies and integrates perfectly into KeePass.
ScriptRunner and Password Server
By default, ScriptRunner supports the local Windows Credential Manager for storing the necessary passwords. The disadvantage of using Credential Manager is that the passwords are stored locally on the machine and cannot be shared. Therefore, only the user under whom the passwords are created can see and administer them.
This means that once the user under whose account the credentials were stored has been compromised, the attacker has access to the passwords stored under this user.
This is exactly why the support of password servers in ScriptRunner is so important, because ScriptRunner is the hub for administrative tasks in many companies. Password sharing is a common scenario as well, because to test a function you often want to test the user under which the action is executed. In addition, for security reasons it is mandatory for many companies to change passwords at regular intervals. A manual postprocessing in connection with ScriptRunner should be avoided.
Explanation: Communication ScriptRunner – Password Server
The communication between ScriptRunner and Pleasant runs in the following 4 steps:
- A user/admin starts an action through the ScriptRunner web interface
- ScriptRunner recognizes that the action is executed by an account managed by a password server and asks for the password.
- The password server returns the password to ScriptRunner.
- ScriptRunner executes the action with the managed user.
Password Server Connector
In order to accomplish this task, a new type of connector has been available since version 2018R3 – the Password Server Connector. Currently, we have three manufacturers in our product range: Pleasant, CyberArk and Thycotic. The inclusion of further password servers is planned.
Step-by-step: How to Set Up the Password Server Connector
In order to connect a password server to ScriptRunner, the password server connector must first be set up. This is done with PowerShell on the ScriptRunner host.
With “Get-ASRPasswordServerConnector” the current configuration can be queried.
Configuration
To set up a new connector, you can use the Set-ASRPasswordServerConnector cmdlet.
!Attention – this will restart the service!
Setting up a password server connector
View in the ScriptRunner AdminApp
Usage
If the password server is set up successfully, credentials of the password server can be used. For this purpose, the ID from the direct link must be used for Pleasant.
Entry in Pleasant
Testing the configuration
To test the correct installation and configuration of the password server, I created a small action in ScriptRunner.
Creation of a credential in ScriptRunner
First, a credential is created in the action to connect to a user and password. The password server was used and the ID from the direct link was entered. This ID must be unique.
After creating the credential, a target is created for which the credentials are used.
Creation of a target in ScriptRunner
When creating the credential, the only difference compared to the system without a password server is that I put the account right behind the credential.
Creating a script for an action
For testing purposes, I created an action to view account information from the Active Directory.
Creating an Action in ScriptRunner
Select a target in the Action
If the communication between password server and ScriptRunner works, the action can be executed. There is no difference in time. But here there are dependencies concerning the configuration of the password server and the infrastructure.
Report I
Report II
Conclusion
This was a short introduction to the password server connector of ScriptRunner in connection with Pleasant.
Have fun with this feature and happy automation 🙂
These articles might also be interesting for you:
Product
Solutions
Resources
Contact
ScriptRunner Software GmbH
Ludwig-Erhard-Straße 2
76275 Ettlingen
Germany