Jump to content
BigDaddyO

Share credentials across multiple systems securely?

Recommended Posts

BigDaddyO

I'm working on a script that will allow me to split up some spreadsheets that drive an automation script into 4 pieces, then it will execute RDP sessions into 4 other systems.  Those 4 system have the script set to launch on startup and so far it's working well but the problem is, the scripts need to log into some production systems which require UserID's, passwords, and some other info passed to them in order to login and run.

I'm thinking about creating an .ini file on a network share to store/share the info, but I need to Encrypt/Decrypt the Creds.  Is there some way to generate a custom Encryption Key that will only generate if logged in with a specific AD account so I can generate the Key on any system as long as I'm logged in with the same account?

Different people may launch this so it has to be keyed to whoever is launching it.

 

If anyone has some other method to securely pass Credentials/info to remote scripts that would be better, I'd love to hear it.

Thanks,

Mike


hmm... I guess I have to have a signature...

Share this post


Link to post
Share on other sites
orbs

@BigDaddyO,

taking your description literally, it cannot be done. you cannot give a user permission to execute the script & read the credentials source, but deny the ability to uncover the credentials. however, it is possible if you define your scenario properly.  for an adequate solution, the following conditions must be considered:

1) is your script desktop-oriented, or can it execute at the background (headless)? if it is desktop-oriented, can it be converted to work headless?

2) is the user (person) executing your script  also need to interact with it?

3) does your script work differently for each user? do you need to log who is the user executing your script?

4) how heterogeneous are those production systems? e.g. are they all Windows-based? in the same AD domain?

off hand i'd say, in a simple scenario, you can schedule your script to execute at startup with a dedicated AD account that has access to the credentials data (or has the credentials stored in its Credential Manager). define your scenario properly, and you may get better suggestions.

  • Like 1

Share this post


Link to post
Share on other sites
BigDaddyO

KeePass can somehow link itself to an AD account so only if you are logged in with the AD account can you open that database.  That's what I wanted to do with the encrypted ini file.

 

For now, i'm using the users AD SID as the key with _Crypt_EncryptData to encrypt the values I store in the INI on the network.

I'm also encrypting the actual .ini file so when it Decrypts the file it will go to the local temp folder, not the network share.


hmm... I guess I have to have a signature...

Share this post


Link to post
Share on other sites
Juvigy

You can hard code the AD accounts and allow your script to be run only from that list of AD accounts. Then you wont need anything else!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×