Powershell Secure password to work on any machine

Question

I need to write a powershell script that i can run on any machine to connect to a server. Does the secure-string encrypt using the machine or user i.e will a secure password work on any machine in the domain or can it only be decrypted on the machine it was created on. If it is the latter is there away to encrypt the password so i can run the script on any machine

Answer 1

So the only way you can a create a secure string that can be used on multiple machines is to use a key when you create the password.

On the first machine run the following to make the secure string

$Key = (3,4,2,3,56,34,254,192,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)

read-host -assecurestring | convertfrom-securestring -key $Key | out-file C:\Scripts\test\securestring_movable.txt

type in the password at the prompt

then copy the secure string file onto a another machine and run

$Key = (3,4,2,3,56,34,254,192,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)

$password = cat C:\Scripts\test\securestring_movable.txt | ConvertTo-SecureString -Key $Key

In my use case only the secure string file lives on the remote machine. I then use Zoho's Desktop Central or Heimdal to run the script remotely. That way the key and the secure string are not on the same machine.

This way you deploy to multiple machine the secure string into the correct folder, and then you can run your script against that string. I use this to monitor laptops. The secure string holds the password to a basic account that has email. I use the account to check that key IT software is installed, that the vpn is connected and some other basic monitoring information and then if there is a problem with anything email back to IT with the details.

Answer 2

To work on other machines you'll need to create a key for use with the ConvertTo-SecureString and ConvertFrom-SecureString cmdlets.

PS C:\> $Key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)
PS C:\>$StandardString = ConvertFrom-SecureString  $SecureString -Key $Key

http://www.leeholmes.com/blog/2006/06/01/securestrings-in-powershell/

By default, the SecureString cmlets use Windows’ Data Protection API when they convert your SecureString to and from a plain text representation. The encryption key is based on your Windows logon credentials so only you can decrypt the data that you’ve encrypted. If you want the exported data to work on another system or separate user account, you can use the parameter sets that let you provide an explicit key.

Answer 3

That's a great question. Here's a link to how to save your credential. I got this set up and I'm going to try my credential string on another computer logged in with another account. I'll let you know my result.

Update

I would have to say it didn't work for me. I went on the other person's machine logged in as them. I have my Credentials set up in a script called Get-MyCred:

$username = 'Domain\MyName'
$password = cat '\\server\share\securestring.txt' | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

return $cred

When I run the line where it gets my password I get an error on the other persons machine.

ConvertTo-SecureString : Key not valid for use in specified state.
At line:1 char:56
+ Get-Content O:\BCKUP\MyScripts\Cred\securestring.txt | ConvertTo-SecureString
+                                                        ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException
+ FullyQualifiedErrorId : ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

I even get the error when I log into another computer with my credentials.