Scripting Safely: Elevating Security with PowerShell's PSCredential
As a sysadmin, automating tasks with PowerShell can save time and increase granular control over tasks and configurations. Many of these tasks we perform as sysadmins require elevated permissions. If you’re new to PowerShell you may be entering and saving password variables as plaintext system strings. This presents security holes as these strings can be viewed by anyone looking over your shoulder while you’re setting them and retrieved from your session history and logs.
We can utilize more security-minded approaches than storing credential variables in plaintext.
Creating PSCredentials with Manual Interaction
If our script is intended to have some initial manual interaction we can utilize Read-Host, and use the -AsSecureString parameter to create a PSCredential.
Secure strings are stored as a hash and cannot be read as plaintext.
Next, you can create a PSCredential using New-Object and the System.Management.Automation.PSCredential class. Notice that If we call this variable either by $securecredential or $securecredential.password, we will only see it returned as a secure string object without ever revealing the plaintext password.
Great! Now let’s see this in action: