• Blog
  • Webinars
  • Partner
  • Support
  • Contact
  • EN
    • DE
ScriptRunner
  • About us
    • Team
    • Jobs
    • Press
  • Why
  • Use Cases
  • Software
    • ScriptRunner Server
    • ScriptRunner Web Apps
    • ScriptRunner Connectors
    • ScriptRunner ActionPacks
  • Try Now
  • Search
  • Menu Menu
You are here: Home1 / ScriptRunner Blog2 / PowerShell & Systems3 / Secure use of credentials in PowerShell with ScriptRunner

Secure use of credentials in PowerShell with ScriptRunner

Author: Frank Kresse, Head of Product | Reading time: 3 minutes | Category: PowerShell & Systems, Security

Secure use of credentials in PowerShell in ScriptRunner

This article has been translated automatically.

Authentication via credentials is the most common form of access identification in PowerShell. This is done using the Credential parameter, to which the combination of user name and password is passed in the form of a PSCredential object. Since these are sensitive data from privileged accounts, the security of these accounts must enjoy the highest priority. However, the most common methods of dealing with credentials have significant security gaps, as shown below.

  • PSCredential objects with the New-Object-Cmdlet
  • Creating PSCredential objects with the Get-Credential cmdlet
  • Use PSCredential objects with ScriptRunner
  • Learn more about the secure use of PowerShell

PSCredential objects with the New-Object-Cmdlet

The easiest way to create a PSCredential object is a code like this:

$user = "Max_Mustermann" $pwd = "Passwort123" $secure_pwd = $password | ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secure_pwd

The username and password are entered as plain text in the PowerShell script. The password is converted to a SecureString because it can only be passed in this form. The PSCredential object is then created. This approach is extremely critical from a safety point of view. The username and password are entered as plain text in the script and are therefore visible to everyone.

The following code offers more security:

$user = "Max_Mustermann" $secure_pwd = Read-Host -AsSecureString $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secure_pwd

Only the user name is entered as plain text in the PowerShell script, the password is created directly as SecureString. However, there are security holes in this method as well, since you can make a reference to the username in the script. In addition, neither automation nor delegation of scripts is possible, since the password must be entered interactively each time a new script is executed.

The password can also be stored in an external file:

Read-Host -AsSecureString |  ConvertFrom-SecureString | Out-File "C:passwort.txt" $user = "Max_Mustermann" $pwd = "C:Password.txt" $cred = New-Object -TypeName System.Management.Automation.PSCredential $User, (Get-Content $pwd | ConvertTo-SecureString)

With this method, the password is encrypted and stored in an external text file. This is read back into the script and converted into a SecureString. This allows scripts to be automated since user names and passwords no longer have to be entered interactively. However, this procedure is not completely secure either, as SecureStrings can also be converted back in order to obtain the password. Another disadvantage is that the text file must be accessible during execution, which makes it impossible to delegate scripts. The user name is also entered as plain text in the script here.

Creating PSCredential objects with the Get-Credential cmdlet

One very popular way to create a PSCredential object is to use the Get-Credential cmdlet:

$cred = Get-Credential -Message "Bitte geben Sie Nutzername und Passwort ein"

That way, the user can use an input box to enter the username and password (Figure 1). The entered password is stored as SecureString.

Figure 1: Fig. 1: Dialog box for entering username and password, based on a PSCredential object

Fig. 1: Dialog box for entering username and password, based on a PSCredential object

Although this method has no security vulnerabilities, it must be entered interactively in the PowerShell Console each time the script is run. This prevents both automation and delegation of scripts.

Use PSCredential objects with ScriptRunner

ScriptRunner allows you to safely store credentials and fully automate your scripts. Under the menu item “User Accounts” all Privileged Accounts with password are stored, which ScriptRunner should use to execute scripts on other systems. Passwords and usernames are stored in the Windows Credential Manager on the local system of the ScriptRunner host. The username is replaced by a randomly generated number as an additional security precaution. Since the information is stored on the local system, a normal Windows user cannot access it.

Figure 2: Figure 2: Screenshot of the ScriptRunner Admin App, menu item

Figure 2: All privileged accounts and passwords that ScriptRunner needs to use to run scripts on other systems are stored locally on the ScriptRunner host

In the PowerShell script, the required credentials are simply inserted as variables, without any reference to the username or password used in the script.

Param ( [PSCredential] $PSCred1, [PSCredential] $PSCred1 )

Actions are always started from the ScriptRunner host with the credentials stored there. The required credentials are configured in the action/policy and are only introduced into the PowerShell process at runtime.

Since there is no interactive input of the username and password at runtime, Service Desk users of delegated scripts do not need to know the name or password of an administrative account to perform an action.

PowerShell Security Ebook: Everything you need to know about PowerShell Security. Get it for free!

Learn more about the secure use of PowerShell

Download the free PowerShell Security-Guide and learn about

  • PowerShell as hacking-tool
  • How to disarm PowerShell with integrated mechanisms
  • Restrict the execution of scripts
  • Setting Execution Policies
  • Securing communication
  • SSH Remoting with Public Key Authentication

And many more topics!

Download the guide for free!
Share this article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
  • Share on Reddit
  • Share by Mail

You might also be interested in these posts:

Article: Parameter Validation Concepts in Powershell and ScriptRunner - Bruno BuyckScriptRunner Software GmbH

Parameter Validation

26. August 2020
Read more
https://www.scriptrunner.com/wp-content/uploads/2020/08/Featured-image-Parameter-Validation-concepts.jpg 441 441 Bruno Buyck https://www.scriptrunner.com/wp-content/uploads/2018/05/ScriptRunner_Logo_RGB-300x45.png Bruno Buyck2020-08-26 10:00:102021-01-07 17:13:03Parameter Validation
Webinar: Centralize PowerShell management easily and securely

Manage PowerShell centrally: How to do it in 5 steps

2. June 2019
Read more
https://www.scriptrunner.com/wp-content/uploads/2019/05/Zentralisierung1zu1-t.jpg 500 500 Heiko Brenn, Head of International Business https://www.scriptrunner.com/wp-content/uploads/2018/05/ScriptRunner_Logo_RGB-300x45.png Heiko Brenn, Head of International Business2019-06-02 21:00:492021-01-14 14:35:27Manage PowerShell centrally: How to do it in 5 steps
Increase security of PowerShell Scripts with ScriptRunner

Security and PowerShell: How to make scripting waterproof

2 Comments
/
12. May 2019
Read more
https://www.scriptrunner.com/wp-content/uploads/2018/09/scriptrunner-neue-version2018r.jpg 1000 1000 Heiko Brenn, Head of International Business https://www.scriptrunner.com/wp-content/uploads/2018/05/ScriptRunner_Logo_RGB-300x45.png Heiko Brenn, Head of International Business2019-05-12 20:00:462021-01-14 14:38:40Security and PowerShell: How to make scripting waterproof

About the author:

Frank Kresse, Head of Product

Frank Kresse is the Head of Product. As the inventor of the automation and delegation solution for PowerShell, he advises clients on use case scenarios and develops solutions for the automation and the digitalization of their processes. He is also involved in technology start-ups.

Latest posts:

  • Article: X-mas Fun with PowerShell and ScriptRunnerScriptRunner Software GmbHX-mas Fun with PowerShell and ScriptRunner23. December 2020 - 10:00
  • ScriptRunner Software GmbHUsing PowerShell to Create New Citrix MCS Machines15. December 2020 - 16:25
  • Article: An Introduction to PowerShell in Citrix Virtual Apps and DesktopsScriptRunner Software GmbHAn Introduction to PowerShell in Citrix Virtual Apps and Desktops7. December 2020 - 17:01
  • Article image: PowerShell AliasingScriptRunner Software GmbHPowerShell Aliasing2. December 2020 - 10:00
  • Article image: ScriptRunner sponsors Scottish Summit 2021ScriptRunner Software GmbHScriptRunner sponsors the Scottish Summit 202125. November 2020 - 10:00

Product

  • ScriptRunner Platform
  • ScriptRunner Server
  • ScriptRunner Apps
  • ScriptRunner Connectors
  • Script Collections
  • Licensing
Get your free trial

Solutions

  • IT Administrators
  • IT Team Leaders
  • Use Cases

Resources

  • Blog
  • Documentation
  • Knowledge Base
  • Webinars
  • PowerShell Lexicon
  • PowerShell Poster
  • PowerShell Security Ebook

Company

  • About us
  • Team
  • Jobs
  • Press
  • References
  • Partner

Contact

ScriptRunner Software GmbH
Ludwig-Erhard-Straße 2
76275 Ettlingen
Germany

T: +49 7243 20715-0
M: info(at)scriptrunner.com

Request Demo
© ScriptRunner Software GmbH is a subsidiary of AppSphere AG
  • LinkedIn
  • Xing
  • Twitter
  • Facebook
  • Youtube
  • Imprint
  • Privacy Policy
  • Newsletter
E-mail notification in ScriptRunner Email notification in ScriptRunner ScriptRunner Professional Services und Workshops ScriptRunner Professional Services and Workshops
Scroll to top