1

Hey guys,

We have a group of users that I need to run a flash installer on, the computers are locked down and you need to run any installer as the local admin for it to succeed.

I’m looking for a way to let a end user run a powershell/cmd script and have that script execute as the local admin, without storing any plain text passwords within the script. Is there a way to do this?

Thanks.

5 Spice ups
2

This could be a starting point for you. Enter the password and have PowerShell “encrypt” it to a file. When you need it, have PowerShell “decrypt” it.

There are other techniques I’ve seen, mostly having to do with taking the string and manipulating it in such a way that it can’t be figured out with the eye but the program can read it; take every character and add 10 to it’s ASCII value sort of thing. That I really wouldn’t recommend.

1 Spice up
3

Yeah Im not trying to just cypher-text it, that’s not really secure. This looks like it could be promising, let me research it and see what I can come up with. Thanks!

4

I don’t like the way this is going, security wise, Yes the password is no longer plain text. But if anyone has any sort of working knowledge on how Powershell Works, they can easily decrypt it and have the local Admin password.

I would suggest installing flash via GPO. and updating via GPO as well. Or use another 3rd party application such as Ninite Pro or PDQ deploy.

3 Spice ups
5

I am using something called CPAU I’ll create a batch script to call CPAU and execute a CPAU job file which is encrypted.

But I’m going to caveat that Powershell or any other encryption technique used by all the major products I’ve seen at somepoint have the clear text version of the password. You would have to dig for it and know what you are doing, but it could be compromised in the long run. For me I find it a minor problem and the benefits outweigh the drawbacks. Plus I use a service account, so I can disable, delete, change the password if I need to at any time.

2 Spice ups
6

The current version of Flash will self update, we deploy it as an MSI with an MST file enabling the self update. We also deploy Adobe reader and the Spiceworks agent to laptops that way as well, it works very well.

7

Selp update isn’t a good idea here, since we used in-house software and if flash starts updating itself, it’ll most likely break things.

I think we ran into an issue doing it through GPO - but I will try this again first, I too would like to the most secure solution, and while I don’t think in 100 years we’ll actually see someone reverse a powershell secure string (not because of complexity of task just because of end user know how) I don’t like to take the chances. I’ll look into this CPAU thing also - looks cool.

8

What I’m thinking about doing is using the file based method, but having the script remove that txt file when it’s done executing, so if the user wanted to run the script again, the get-content would fail, I’ll put a catch in there like, please contact Administrator, get-content failed.

9

If they were to right click the file and sure “Run with Powershell” that error message would fly by and the windows would close before they could read it. But you could set up emailing in your script to send an email to you if the file is trying to be run without the password file.

10

You could populate the email with any pertinent information that you may need, like current logged on user, computer name, IP address, etc.

11

Great idea! thanks man.

12

Here’s another question, after having your secure credentials in a variable, how can I open a subshell using those credentials?

13

I think that’s in the link too.