Tag Archives: Security

Save Passwords Securely in Windows Using PowerShell

Leave a reply

Passwords are the keys to our digital lives, and it is essential to keep them secure. With so many passwords to remember, it’s easy to fall into the trap of using the same one for multiple accounts or writing them down on sticky notes. However, these practices are not secure and can put your personal data at risk.

In this blog post, we will explore how to save passwords securely in Windows using PowerShell. PowerShell is a powerful tool for managing Windows, and it can be used for password management as well. We will use the ConvertTo-SecureString cmdlet to encrypt the password and then save it as a string in a text file, which can be used by a scheduled task running as the user who needs it.

The first step is to open PowerShell and run the following script:

$password = ConvertTo-SecureString "password here" -AsPlainText -Force

# Get content of the string
[string]$stringObject = $password |  ConvertFrom-SecureString

@"
 [string]`$encPassword = "$($stringObject)"
 [SecureString]`$securePwd = `$encPassword  | ConvertTo-SecureString
 `$password = [System.Net.NetworkCredential]::new("", `$securePwd).Password
"@ | Set-Content -Path "cred.txt"

This script will create a text file named “cred.txt” containing the script to decrypt the password and the encrypted password. The contents will look similar to the following:

[string]$encPassword = "encrypted password"
[SecureString]$securePwd = $encPassword  | ConvertTo-SecureString
$password = [System.Net.NetworkCredential]::new("", $securePwd).Password

Place that code at the top of any PowerShell script you have scheduled, and it will be able to decrypt that password. If your scheduled tasks are running as a user that you can’t start, then use a scheduled task as that user to run the first script and get the code you need.

In conclusion, saving passwords securely is crucial to protecting your personal data. PowerShell provides a simple and effective way to do so in Windows. By following the steps outlined in this blog post, you can securely store your passwords and use them when needed.

Advertisement

PowerShell Script to Audit User Permissions and Identify Users with High Permission

Leave a reply

Managing permissions and ensuring proper access control is critical to maintain the security of your organization’s resources. In this blog post, we introduce a PowerShell script that can audit user permissions on file shares and directories, calculate a permission score for each user, and help you identify users with the most permissive rights.

Script

The PowerShell script consists of the following main parts:

  1. A hashtable that defines important rights and their corresponding scores.
  2. A list of excluded users and shares that should not be considered in the audit process.
  3. A function called Get-ImportantDirectoryACLs that retrieves the Access Control List (ACL) for a given directory, filters out excluded users, and calculates a permission score for each user.
  4. A main script block that connects to a target server, retrieves the file shares and directories, and invokes the Get-ImportantDirectoryACLs function.

The script calculates the permission scores for each user based on the importance of their rights. In this example, we assign a score of 100 to the ‘TakeOwnership’ right, 90 to the ‘FullControl’ right, and lower scores to other important rights. The resulting CSV file will display the users with the highest scores at the top, making it easy to identify users with the most permissive rights.

$ImportantRights = @{
    'FullControl' = 100
    'Modify' = 80
    'ReadAndExecute' = 60
    'Write' = 40
    'CreateFiles' = 20
    'CreateDirectories' = 20
    'Delete' = 10
    'TakeOwnership' = 100
}
$ExcludedUsers = @('NT AUTHORITY\SYSTEM', 'BUILTIN\Administrators', 'NT SERVICE\TrustedInstaller', 'BUILTIN\Users', 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES')
$ExcludedShares = @("IPC$", "ADMIN$")

function Get-ImportantDirectoryACLs {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, ValueFromPipeline)]
        [string]$DirectoryPath,
        [Parameter(Mandatory)]
        [string[]]$ExcludedUsers
    )

    process {
        $ACL = Get-Acl $DirectoryPath
        Foreach ($AccessRule in $ACL.Access) {
            If (!$AccessRule.IsInherited) {
                $User = $($AccessRule.IdentityReference)
                if ($User -notin $ExcludedUsers) {
                    $TotalScore = 0
                    $Rights = @($AccessRule.FileSystemRights -split ",") | Where-Object { $ImportantRights.ContainsKey($_) }
                    Foreach ($Right in $Rights) {
                        $TotalScore += $ImportantRights[$Right]
                    }
                    if ($TotalScore -gt 0) {
                        [pscustomobject]@{
                            DirectoryPath = $DirectoryPath
                            IdentityReference = $AccessRule.IdentityReference
                            AccessControlType = $AccessRule.AccessControlType
                            FileSystemRights = $AccessRule.FileSystemRights
                            Score = $TotalScore
                        }
                    }
                }
            }
        }
    }
}

$Server = "ServerName"

$Cim = New-CimSession -ComputerName $Server
if ($Cim) {
    $Shares = Get-SmbShare -CimSession $Cim | Where-Object { $ExcludedShares -notcontains $_.Name } | ForEach-Object {
        "\\$($_.PSComputerName)\$($_.Name)"
    }
    $Directories = $Shares | ForEach-Object { Get-ChildItem $_ -Directory } | Select-Object -ExpandProperty FullName

    $ShareRights = $Shares | Get-ImportantDirectoryACLs -ExcludedUsers $ExcludedUsers
    $DirectoryRights = $Directories | Get-ImportantDirectoryACLs -ExcludedUsers $ExcludedUsers

    $Results = @($ShareRights) + @($DirectoryRights)

    # Sort results by Score in descending order
    $SortedResults = $Results | Sort-Object -Property Score -Descending

    # Export the sorted results to a CSV file
    $SortedResults | Export-Csv -Path "$Server.csv" -NoTypeInformation
}

How to Use It

  1. Copy the script to your PowerShell environment and save it as a .ps1 file.
  2. Replace “ServerName” in the $Server variable with the name of the server you want to audit.
  3. Run the script. It will generate a CSV file named ServerName.csv that contains the audit results.
  4. Review the CSV file to identify users with the highest permission scores.

Conclusion

Using PowerShell to audit user permissions and identify users with the most permissive rights is an efficient and effective way to manage access control in your organization. By assigning permission scores to important rights, you can quickly identify the users that may require further investigation. Remember to adapt the script to your environment and adjust the scores as needed to suit your organization’s security requirements.