I been building a tool that’s built on PowerShell along with a GUI interface created using Visual Studios, then I convert entire script to an exe using PS2EXE. Been using the tool for personal use only; however, I have couple of co-workers interested and would like to use the tool.
Before I even consider releasing the app for use among my co-workers I want to ensure I use the most secure method in protecting a services account and Client ID and Client Secrets. This is where my knowledge of powershell is lacking. The current protection I use on my application is, to launch this application:
- User must be logged into a Domain Join device.
- User’s device IP address must fall within scope of IP Addresses.
- User must be a member of both an Azure AD Security group and On-Prem. AD Security Group.
Service account credentials and Client ID and Secrets xml files is stored external on a server shared folder manage by an AD security group with Read-Only access. Only a small group of users have access to the server.
I use the following lines of code to import the xml files in my powershell script.
$credential = Import-CliXml -Path '$XMLLocation\SharedFolder-withReadOnly-Permission\x-x012.xml'
$AppID = $credential.UserName
$AppSecret = $credential.Password
$AppSecret = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($AppSecret))
This works find for only allowing me access to the application, but if I want to allow other users access to the application I need a mechanism to secure credential and Client ID and secrets.
I was looking at Azure Key Vault, but this requires an Azure Subscription and it could be a hard pitch to leadership to allow me to add this resource to our current subscription. The other option I’m considering is using Certificates to encrypt credentials and App Secrets.
Since I don’t have the experience make a sound decision on properly securing credentials is why I’m reaching out to the community with the hope someone can offer other solutions on how to secure credential and application client id and secrets from prying eyes.
Final question: Once a means been identified to encrypt credentials, during an import process the encrypted credential will need to be decrypted (ConvertTo-SecureString -AsPlainText -Force ) in plain text to be used by the script. During this process of decrypting the credentials, is this consider a vulnerability where someone with nefarious intention can somehow capture password during the decryption?
Thank You,
-Larry
