Caching credentials for administrative tasks
Tony has been working on a great series of posts to explore some of Monad’s security features.
He provides a method to start programs using the Administrator account, without having to always type in the Administrator’s password. To do this, he uses the export-secureString cmdlet to export the password to disk, and the import-secureString cmdlet to re-import it when required.
The export-secureString cmdlet, when not given an encryption key, uses Windows' Data Protection API, known more commonly as DPAPI. The Data Protection API is the standard Windows mechanism by which programs protect sensitive data, such as passwords and private keys. Internally, Windows protects the data by encrypting it with a password it creates from your logon credentials - making the data unavailable to other users.
By holding the Administrator’s password on disk (even encrypted,) though, somebody using your account can still technically use this method to launch any application as Administrator. That’s very unlikely, and not necessarily worth being concerned about. However, as security freaks, or job is to be concerned about trivial things like that. For example, a snippet from Bruce Schneier’s piece about the strong (and playing card-based!) “Solitaire” encryption algorithm:
5. For maximum security, try to do everything in your hands and head. If the secret police starts breaking down your door, just calmly shuffle the deck. (Don’t throw it up in the air; you’d be surprised how much of the deck ordering is maintained during a game of 52-Pickup.) Remember to shuffle the backup deck, if you have one.
6. Be careful about worksheets, if you have to write things down. They will have sensitive information on them.
Burning is probably the best method of data destruction available, but think about the paper. Ungummed, rice cigarette papers seem ideally suited to this role. A colleague did some tests with Club Cabaret Width papers, and they burn completely.
(…)
And good cigarette papers are made to burn cleanly and completely. The Club papers burned best when allowed to burn in the free air. That is, lit and released at about chest level. These papers also have the advantage of having very low volume and could be easily eaten if required.
(…)
8. Most card games do not include jokers, so carrying a deck around with them may be suspicious. Be prepared with a story.
[The scary thing is that I’m not sure how much of this is in jest!]
Anyways, back to the real world. One idea to increase the security of this approach is to use credential caching. We ask for the Administrator’s password if we don’t already have it, and reuse the cached password if we do.
Here is a slightly modified script that uses this approach:
##############################################################################
## Defrag-Disk.msh
##
## Start Disk Defragmenter using cached credentials
## From http://mshforfun.blogspot.com/
##############################################################################
## Get the cached credential. This prompts for the credential if not
## yet entered.
${GLOBAL:lee.holmes.credential.administrator} =
get-credential ${GLOBAL:lee.holmes.credential.administrator}
$Windir=$env:Windir
$StartInfo = new-object System.Diagnostics.ProcessStartInfo
$StartInfo.UserName = ${GLOBAL:lee.holmes.credential.administrator}.Username
$StartInfo.Password = ${GLOBAL:lee.holmes.credential.administrator}.Password
$StartInfo.FileName = $Windir + "\system32\mmc.exe"
$StartInfo.Arguments = $Windir + "\system32\dfrg.msc"
$StartInfo.WorkingDirectory = $Windir + "\system32"
$StartInfo.LoadUserProfile = $true
$StartInfo.UseShellExecute = $false
[System.Diagnostics.Process]::Start($StartInfo)
To clear this cached credential, exit your shell, or run the command:
[D:\Lee\MSH]
MSH:56 > ${GLOBAL:lee.holmes.credential.administrator} = $null
[Edit: Monad has now been renamed to Windows PowerShell. This script or discussion may require slight adjustments before it applies directly to newer builds.]