/build/static/layout/Breadcrumb_cap_w.png

Powershell scripts

A few questions regarding scripting:


- Are scripts pushed through KACE K1000 stored somewhere on the machine or only in memory for the time it runs?

- Are they pushed over the network in a secure fashion?  i.e: TLS 

- How does the community deal with securely storing domain credentials needed by a powershell script when the script it pushed by KACE K1000?


I wrote a powershell script to verify if the current machine name follows a certain convention, and if not, to update it to follow our naming convention.  However, I obviously don't want an end-user to be able to get a hold of the credentials since these credentials would be domain credentials.  I'm thinking there's probably a better option than to give the script domain admin credentials (i.e.: I'm hoping there's a permission which would give the account access to change computer names in the domain and not much else) and of course, if such a privilege exists, I'll be sure to use it (as opposed to domain admin).  That being said, regardless of how limited the powers of the account might be, I still don't want end-users to get a hold of the credentials.  


TIA!


Erik



TIA!


Erik

Asked 5 years ago 1136 views
0 Comments   [ + ] Show comments

Answers (3)

Answer Summary:
Posted by: Channeler 5 years ago
Red Belt
4

Top Answer

As far as I know, the BAT files or Power Scripts are pushed to the workstation, .BAT or .PS, then the KACE Agent will open them via CMD using your desired credentials.
(or a SYSTEM level account).

So I would say if password security is a concern... DO NOT add your passwords to the Scripts, if you need them because you are using a NET USE command.... then.... well anyone tech savvy enough can get the password from \ProgramData\Quest\KACE\kbos_cache\package\ID_OF_Script\  that folder will have all the dependencies that script needs, including your BAT File.

You can add another task to delete all dependencies manually once everything is fine... but that doesn't mean someone could pay attention to that folder, and grab your BAT file as soon as it's copied there... or plug the network cord, or enable Airplane mode as soon as the BAT file appears, then right click Open with Notepad

You can use the credential manager and Run a Script AS Certain User... that way it will not appear there.

Anyway let's see what others say

Comments:
  • Thanks, I'll try with the Run As option within KACE. TBH I was so concentrated on finding a powershell solution that I didn't even take the time to look further down "New script" page. - phatrik 5 years ago
Posted by: SMal.tmcc 5 years ago
Red Belt
1

I use AutoIT to compile to an exe when I need to pass a password in a task to a target device to keep it from being read.

Posted by: geek2.0 5 years ago
White Belt
0

As @Channeler said, KACE can run a script as a specific user. We have a domain account specifically for this purpose. It has been configured via Group Policy to be able to login to workstations with local admin privileges, but is explicitly blocked from things like Remote Desktop, remote PowerShell, Log On As Service, etc. It has just enough access to do what we need when running as SYSTEM doesn't work. You could do something similar and delegate the Active Directory privilege of changing a computer name.

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ