locked
Secure password when using powershell remoting RRS feed

  • Question

  • I want to set a new password on a service account on some remote computers. Currently I am using $using to transfer the password variable to those remote computers and set the new password on the services. However I do not want to store the password as plain text at any point in the process. What will be the best way to achieve this and transfer the passwords securely to the remote computers and not store the password as plain text at any point in this process?
    Friday, November 1, 2019 1:34 PM

Answers

  • Invoke-Command and Invoke-CimMethod are the same this. They use the same protocol and the same encryption. Both require remoting to be enabled.

    Why do it the hard way just use Invoke-CimNethod.

    In both cases the password has to be changed to plain text to use Win32_Service.  Currently there is no way to use a secure password to set a service password. The service controller has not been modified to add this capability.


    \_(ツ)_/


    • Edited by jrv Saturday, November 2, 2019 2:13 AM
    • Marked as answer by Admin66 Saturday, November 2, 2019 9:11 AM
    Saturday, November 2, 2019 2:11 AM

All replies

  • Not sure what you mean by transferring the password.
    But if you want to configure remote services you can just use Set-Service with a credential object.

    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-6

    Friday, November 1, 2019 1:41 PM
  • I have around 300 servers, so in that case how to achieve this and I just don't want to configure a remote service but remote tasks as well. Also by transferring the password I mean that I am running the script remotely to perform this and since the credentials are stored on my local machine in a variable, in order to use the local variable on a remoting session I need to use the variable using $using. However I don't want the password to appear in plain text at any point in this process.
    • Edited by Admin66 Friday, November 1, 2019 2:14 PM
    Friday, November 1, 2019 2:01 PM
  • Also I don't see any option to change the password of a service using Set-Service

    I have powershell version 5

    • Edited by Admin66 Friday, November 1, 2019 3:49 PM
    Friday, November 1, 2019 3:45 PM
  • To set the service account password use WMI Win32_Service

    See: https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/change-method-in-class-win32-service


    \_(ツ)_/

    Friday, November 1, 2019 6:02 PM
  • Yeah I am using the Win32_service, however I suppose it does not have a credential parameter so password needs to be supplied as plain text. Since I am doing this on several servers using remoting, I was looking for a way to use passwords securely so that the password is not visible to the person executing the script and also while sending the password variable to remote computers, it is not send in plain text.
    Saturday, November 2, 2019 1:44 AM
  • Yeah I am using the Win32_service, however I suppose it does not have a credential parameter so password needs to be supplied as plain text. Since I am doing this on several servers using remoting, I was looking for a way to use passwords securely so that the password is not visible to the person executing the script and also while sending the password variable to remote computers, it is not send in plain text.

    The remoting interface when using Inovke-CimMethod is fully encrypted. No need to encrypt the password.  It cannot be discovered on the network by any means short of a super computer.


    \_(ツ)_/

    Saturday, November 2, 2019 1:48 AM
  • What about Invoke-Command, when we pass variables to remote computers using Invoke-Command is it fully encrypted?
    Saturday, November 2, 2019 2:07 AM
  • Invoke-Command and Invoke-CimMethod are the same this. They use the same protocol and the same encryption. Both require remoting to be enabled.

    Why do it the hard way just use Invoke-CimNethod.

    In both cases the password has to be changed to plain text to use Win32_Service.  Currently there is no way to use a secure password to set a service password. The service controller has not been modified to add this capability.


    \_(ツ)_/


    • Edited by jrv Saturday, November 2, 2019 2:13 AM
    • Marked as answer by Admin66 Saturday, November 2, 2019 9:11 AM
    Saturday, November 2, 2019 2:11 AM
  • Thanks jrv.
    Saturday, November 2, 2019 9:11 AM