Learn to securely use Passwords with PowerShell

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today we're going to talk about passwords in PowerShell if you're like most people you've got them all right there and notepad and clean text whenever you're using the powershell scriptures or cutting and pasting or destroying them there and plane so what I want to do in today's video is show you some of the good ways to do it and the better ways to do it so your passwords a little bit safer at night all right but first here's our intro hi my name is Shane Young with bold zebras so guys and in today's show we're going to jump in and look at passwords in PowerShell we're gonna look at how to store them in plain text that idea we're looking how to do it we're going to have a prompt for passwords every time you need to use them then we're going to look at how you might do it in a more secure manner so we're looking at increasing them in a local file and then finally we want to end with using the windows credential manager and how we can integrate that into our process the focus of most of the scripts we'll be using it for sharepoint online but all the techniques we will discuss here can be used for any of your PowerShell scripts we might be storing passwords today so should be fun let's switch over to my desktop a and get started all right so my desktop here is a Windows 8.1 machine that I built just for these exercises I've installed the windows management framework 5.1 and I've also installed the PS read line utility for PowerShell so if you're not familiar with those tools they kind of get your power show up to the latest and greatest and then makes it a little easier to use because it's going to color code my Commandments if you're not familiar with out there is a video linked down below that has the step-by-step how to get that installed but I'm going to assume you've already done that so the first thing I'll do is I will just go ahead and hit start and I'm going to type in PowerShell and then what we're going to do is we need to run as administrator right so we're going to right-click or say graaah' administrator yes the UAC prompt and so then now that PowerShell is up and running the first thing I want you guys to do is make sure you're going to do a start s transcript right using tab complete there to finish it but this is just like good idea that just gives us that running history of everything that we've done speaking of the history all of the power shows I'm going to show you today I'll make that available download link so it's free you just have to give me your email address so you know bold zebras can spam me once a month if you do it but that way you don't have to kind of type all this PowerShell in especially for having any boo-boos so you want that the link is down below to get there okay so here we are will clear up our screen and so when it comes to passwords probably the most common thing that I see is people using the script that has you know just the variable equals username right so something like this I would say you know dollar sign username equals and then there's our accounts and then I would have another line that says dollar sign pot P W equals my password maybe I bored it out maybe I don't let's see what happens so that gets those two into a variable once those are in a variable what I would do then is I would need to convert it to a secure string so generally speaking PowerShell won't let you use passwords and less their secure string but they give you a function convert to - secure string - put that in there and you see how to use the force printer so yes I really want to change that and so right now if I typed in dollar sign SP you see that it just says hey it's a secure string it's not going to show it to me whereas if I was to type in dollar sign PW it would show me the plaintext password that I put in okay so now I've got a dollar sign you in my username dollar sign SP with the secure password and so then what I'll often do is I'll then have to convert those to an actual credential so then you would run a line like this right dollar sign plane cred I just made up a name plane cred equals new object system management automation PS credential - argument lists dollar sign UN comma dollar sign SP so if we do that that is now created as a credential object with that username and password safely stored in it so if I wanted to connect to a my SharePoint Online account I could do connect it - MS o L service - credential plane cred hit enter that's going to connect us to office 365 if you don't have the office 365 stuff installed you need to I also have a video for that link down below and remember I'm showing us in the context of office 365 or the share plan online stuff but you could be doing it for different reasons so don't so I don't get hung up on the fact that I'm using office 365 for all my examples but I did connect them sol service and so then the last thing I will do here real quick is just a get em sol user and so then that way we'll see the users get listed and so we know that I successfully authenticated out to office 365 using a plaintext password so that's probably a the most common way that I see people use usernames and passwords is put them right there in plain text and their scripts but B is the least secure possible way because anyone looking over your shoulder could see the password is right there in plain text so I don't want you to do that way but I know a lot of you do so I want to kind of cover what was going on with that methodology or clear our screen so the second way that you could do it this is a way that I've shown in the most of the previous videos that I've done is to use the powershell commandlets get credential so what I'm going to do here is I'm going to run dollar sign ask creds we create a variable called ask read and I'm gonna say equal to get credential when I do that I'll get a pop-up box and so for that pop-up box then I can type in the username and password so this is a good methodology because it is secure I'm not storing the stuff but it is annoying you have to put it in there and especially if you're trying to do automated scripts and things like that it gets to be kind of cumbersome together you know type in the username and password for your automated scripts not really automated at that point but once we've done something like that right now if I do I do a friend connect em sol service and then - credential and I do dollar signed ask read all myself sound like I said a bad word there I didn't so that works right and then we do get em Sol user and so you can see that methodology works that's the one that I've shown in all my other videos that are done with the PowerShell online stuff and the azure stuff different ways of scripting and speaking of azure though as your uses a different credential set than the standard PowerShell credentials so it's actually a whole different topic so this will apply to if you're trying to use a ball login as your RM accounts that's not going to work for this one there's a different methodology for that and there'll be a link down below for better reading or another video on that depending on what I come up with so so that's the second way to do credentials right it's good it's secure but it's not it's kind of cumbersome because you had to manually do it so the third methodology we're going to look at here is using and a blog post at my buddy Todd Clint Rhodes and you know it's written on here has a hundred different from hundred different people hundred different ways but in his script what he does is he shows you how to create a local file on your file system that stores that username and password and I would give this a decent amount of security right because we're going to see as we work this process is it's going to save it using a password to a file and the password will be encrypted as I hatched might be a better way of putting it the password will be in a more secure fashion and that file that stores these in can't readily be used on other system it's tied to the account that you used to create the file with so that makes it a little more secure now the bad news is I'm guessing with a little bit of poking around the internet you can probably figure out how to reverse engineer all of it but generally speaking we think about security we're trying to make it so someone doesn't accidentally discover the password and we know if someone goes and does this process they would be maliciously hacking your your computer to get this file and then to decrypt it so you know not going to stop that person from getting into this methodology but we are going to stop the the casual looky-loo person so that's we're probably after anyway so to do this methodology we're going to run through a few steps here and so the first one is is we're going to create the file and before I create the file I'm going to make her make us a folder two swings fears no shenanigans so here on the C Drive I'm going to create a new folder called safe right I could have done this with PowerShell could have done md4 make directory and then the C colon safe but I don't know visuals are sometimes easier so I made up a folder called safe there's nothing in it and so we're going to paste in here and so the first step in this process right the first time we have to give it the credentials so that we can you know store those securely so let me type in my username here or actually cut and paste my user names I'm too lazy to type this big only thing in this is real reason I want to modify or I wanted to be able to automate all that stuff that's a username passwords just too long for me okay so I took right so dollar sign credential is equal to get credentials so we put the values that we just typed in into here and then dollar sign final name equals C colon safe secret flower text so we're going to store it in that type of take your file and so we're going to do those credentials take the that object and pipe it over to export cly XML and then pass as a file name so hit enter and so when we do that we can see we get a secret file here on the file system if we double click on it you can see there's a username in plain text and here's the password that is not what I typed in right I typed in like 10 characters and this is iron 100 hundredths I don't know a whole bunch of characters because that was that process of hashing it so it's been stored on machine it's the secret file yay so close that will close this so then now in my script to use that particular file what I can do is I just need this little chunk of PowerShell so I put this in all my files tave anjo so cred path equals the location of file and then final creds is import cry XML Pass cred pass so go get that file and import the clients ml stuff and that's going to decrypt it as long as you're on this machine using the same user account if I was to take that secret file dot txt file and go dump it on my server and log in with a different account it's not going to work it doesn't does not compute so this is where you get that little bit of security because it does this file is now tied to the account that I went ahead and created this as so that's all done and then now let's try out our sharepoint online stuff using that methodology so connect msl service credential file cred and get em sol user boom so let's scroll back up here so this is a great one right if you're just trying to figure out you know a simple way to get stuff into a text file so you can automate your passwords this is probably the simplest of the method oh geez get a little bit of security not not foolproof but a little bit now all sort of keep in mind if you're going to do this for a script you're going to automate so you want to do you know run the windows tasks every 4 a.m. every day at 4 a.m. to back up some stuff using PowerShell and you want to store the password this way you need to run that Windows task is the same account that you created the secret file as what I just have to do that right - you go in and change the windows path to be that if you want the windows task to run as a service account then you need to log in to the system one time as that service account and create the secret file with that particular account so that it would have access when it was running as that account for your timer job every night so just keep that in mind that is important little caveat to this methodology right but that's a good one I really like that one kudos to Todd for you know documenting that force all right so it's clear screen so the last one here I want to talk about this is one that I've been using very recently this is kind of one I was looking for I couldn't find I couldn't find it and I finally tripped over it I figured out this problem and that's what kind of prompted me to go ahead and make this video I mean between watching on the cat doll and cat and dog videos watch the Puppy Bowl hopefully you guys get to watch the puppy puppy ball my kids are big fans so I watching the Puppy Bowl I got this all solved and this is what we got and so what this methodology windows we're going to use the windows credential manager so the first thing I want to do is hit start and I'm going to type in credential manager and I am told that this is part of a Leblon Windows 7 I've confirmed it's on Windows 8 Windows 10 so I don't think should be anything for anything surprising for anyone but someone I'm in credential manager here what you want to do is you want go to Windows credentials and I'm going to say I want to add a generic credential and it's like hey what is the internet or network address so I'm not going to ask you then we'll give it a name I'm going to call it o 365 right so over office and 365 and then for my username here I'm going to put in the same username we've been using just like that and then for the password I will type in my password no peeking guys I know you were trying to steal my password but okay and so then now that has been stored in my local windows credential manager so Meishan is available now unfortunately to take advantage of the components of credential manager there's not built in PowerShell so I've had to go and find a third-party way to do that it's a free one it's out there on the PF gallery but to install that you're going to go out and get credential manager the good news is his PowerShell makes it pretty easy I'm go with my PowerShell window alright so we're going to run the line install module - named credential manager and hit enter so after a few seconds here I'm getting prompted Hayes's to the untrusted repository sure you want to install from there everything you read on the internet is true so of course you do is we're gonna type in yes and hit enter also this is your first time installing a module remotely you might get prompted you want to install the latest versions of in you get that's the package handler that pulls this stuff down you want to say yes to that also if you got prompted for that we've covered some of that from the other video so don't heart harp on it too much here but the other thing to keep in mind as you might if you're having problems with these remote scripts you might want to check your execution policy right so get execution policy you need to be running remote sign if you do get execution policy and it says restricted a lot of these remote scripts aren't going to work and so if it was restricted then you would just do set execution policy remote sign just like that it would warn you or you sure you want to change it and yes you would so that's a quick little trick there all right so now we've installed the credential manager utility off of PS Gallery I'll clear my screen off and so the great commander the only comes like four or five commandlets if you want to see those you could type in get module or so I get command dash module credential manager and so it all comes with four commands so get stored credential get strong password new stored credential and remove store credential so what we're going to take advantage of is the get store credential because now what I want to do so now we have that available to us where our screen off against is we'll paste over here so say manage credentials equals get store credential - target oh 365 all right Oh 365 being the credential that we just created over in the a credential manager right so we hit enter there so that puts that value there and if I did everything correctly we should now be able to do connectedness oil service credential oh it should be managed cred not ask red so we'll do that again man shred all right that would say that connected and then we will do get em sol user just to make sure is that I got all of our users so there's a great methodology right now we know that the username password that I have access to is stored in the credential store so I know it's secure I know that someone can't just you know Google for five minutes on how to hacked out and get that password out of there so that's a pretty good method for getting passwords storing them and using them whether it be for service accounts or for connecting to your online resources or things like that and it's feel good that it is all of taken care of the other nice thing about using credential manager is it the PMP right the patterns and practices powershell that there's a video for down below if you haven't used before that's the main thing i use from working with sharepoint online it natively supports the credential manager so you don't have to use that not only did but if i do this script right here connect to the patterns and practice online right so connect - PMP online - URL that's the URL to my sharepoint in it and then - credential oh 365 that being a thing way of saying credential manager they have a built in methodology for using credential manager so you don't need the third-party tool but now we know how to use credential manager both for powers of practices powershell and for our ship one online you know getting to our Azure account or MSL services and things so it's a pretty handy way to go so I think that about wraps it up hopefully it helps you guys understanding how many of the different options you have around passwords how you stream managing them you know shows you the evil way of doing it on in plain text that's what you really need to do what you need to do but at least I've shown you the right ways and the wrong way to how to do all this as always if you like what you see here you know give me a thumbs up or hit the subscribe button you only lots of powershell videos out here and if you need help with this leave a comment below if you check the other videos I get lots of questions and I always try to answer them and help people work through their problems but sometimes if it's a little more than just some answers online can also do some consulting with you through bold zebras and of course you always tweet me at chains house so thanks have a great day
Info
Channel: Shane Young
Views: 54,238
Rating: 4.9380951 out of 5
Keywords: PowerShell, Learn PowerShell, PowerShell for beginners, Passwords for PowerShell, Powershell script passwords, store passwords with powershell, PowerShell scripting, password, shane young, bold zebras, secure passwords, secure powershell, save password, save powershell passwords, powershell basics, converto-securestring, asplaintext, credential, powershell credentials, sharepoint online password, import-clixml, export-clixml, pscredential, credential manager, credentialmanager
Id: MVZAbQEkegU
Channel Id: undefined
Length: 18min 12sec (1092 seconds)
Published: Tue Feb 07 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.