PowerShell | Script Password Encryption | For Multi Site Administration

Posted on By rich No Comments on PowerShell | Script Password Encryption | For Multi Site Administration

With this we can centrally place PS scripts in OneDrive, and they will work on any machine (only if it has access to the AES key.) It’s easy to set up and I’ve scripted a credential update script so if a username or password changes anyone can update the credentials without messing with the script.

 Steps to set this up on a client server are:

  1. Create a One Drive for your IT Company, install on all Client servers. For my testing I used C:ICU as my one drive folder.Path to one drive folder must be standardized across all clients or the scripts wont work. So if we setup onedrive in the Root of C: on each server that would do this no problem.
  2. Add a text file in C: containing the Clients name .. eg. “Beech”
  3. Put the AES.key file in the Root of the One Drive folder. [ C:ICUAES.key ] 
  4. Create a corresponding Folder for each client in the One Drive folder. Foldername MUST be exactly the same as the Client name ine the text file. [ C:ICUBeech ]
  5. Run the Credential Updater | Insert the credentials. This will create the relevant files to store the credentials in the client’s folder (this can be done on ANY computer on ANY username.
  6. Configuration is complete | Run your desired script – you can now run any script that requires credentials without entering them!

The script in this example is used to remote into Office 365 but it could be adapted for anything.

The scripts will only work where they have access to the AES key file which was randomly generated 32 bit encryption key. As long as your company’s admin account password remains a secret there should be no security issue (Unless someone steals the HDD of the server) but you could get around that with Bit Locker.

Scripts

Creating a Key File

$KeyFile = "C:ICUAES.key"
$Key = New-Object Byte[] 32   # You can use 16, 24, or 32 for AES
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | out-file $KeyFile

Credential Updater

$client = Read-Host "Enter Client Folder"
$PasswordFile = "C:ICU$clientPassword.txt"
$key = Get-Content C:ICUAES.key
Read-Host "Enter Office 365 Tenant ID" | Out-File "C:ICU$clientUserID.txt"
$password = Read-Host "Enter Password" -AsSecureString
$password | ConvertFrom-SecureString -key $key | Out-File $PasswordFile

Script to connect to Office 365 Exchange Online

$clientname = Get-Content C:client.txt -Raw
$user = Get-Content C:ICU$clientnameUserID.txt
$PasswordFile = "C:ICU$clientnamePassword.txt"
$KeyFile = "C:ICUAES.key"
$key = Get-Content $KeyFile
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

Leave a Reply

Your email address will not be published. Required fields are marked *