RE: Powershell SecureString parameters

2012-04-07 Thread Michael B. Smith 
I discuss it in this blog post:

http://theessentialexchange.com/blogs/michael/archive/2012/01/17/sending-an-email-to-users-whose-password-is-about-to-expire-a-powershell-rewrite.aspx

-Original Message-
From: Steve Kradel [mailto:skra...@zetetic.net] 
Sent: Friday, April 06, 2012 5:27 PM
To: NT System Admin Issues
Subject: Re: Powershell SecureString parameters

Feed in the characters to SecureString one at a time (string is an IEnumerable 
of char)... the design reason for this is that the entire string should not 
exist in managed memory at any point, or else there will be non-secure copies 
floating around.

In practice, it is very difficult *not* to have the string in cleartext unless 
you're prompting the user for char-level interactive input, while being careful 
not to call any methods that would read that input as a string.

I think MBS had a blog post about this specific to Powershell not too long ago.

--Steve

2012/4/6 Joseph L. Casale :
> When you define a parameter as a secure string it becomes available 
> like any cmdlet to specify during invocation not just after.
>
> In the scenarios like testing where security is not a concern, how do 
> you craft the parameter such that it can take plaint text input and 
> encrypt like `ConvertTo-SecureString "some_pass" -AsPlainText -Force`
>
> Thanks!
> jlc
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Powershell SecureString parameters

2012-04-06 Thread Steve Kradel 
On Fri, Apr 6, 2012 at 6:28 PM, Ben Scott  wrote:
>  That seems icky.
>
>  Conventional wisdom is that one does any security-sensitive storage
> in memory pages "locked" in RAM.  I.e., you allocate some memory, and
> then tell the OS not to write that memory to disk for any reason.
> When done, zero the page(s).
>
>  Reading the docs for SecureString, I can only presume .NET doesn't
> have a way to do that.  Pity.

You can pin and zero memory in .NET if you really want to, but the
point I was trying to make is that SecureString doesn't address the
problem of key management.  It is however useful for 1) keeping the
secret encrypted at rest from other processes and useless in a memory
dump (yeah, unless something is actively using it and turned it back
into a BSTR for a moment), and 2) preventing most users from errantly
writing the password into a logfile or serializing it into a web
service response, etc..

--Steve

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Powershell SecureString parameters

2012-04-06 Thread Ben Scott 
On Fri, Apr 6, 2012 at 5:27 PM, Steve Kradel  wrote:
> Feed in the characters to SecureString one at a time (string is an
> IEnumerable of char)... the design reason for this is that the entire
> string should not exist in managed memory at any point, or else there
> will be non-secure copies floating around.

  That seems icky.

  Conventional wisdom is that one does any security-sensitive storage
in memory pages "locked" in RAM.  I.e., you allocate some memory, and
then tell the OS not to write that memory to disk for any reason.
When done, zero the page(s).

  Reading the docs for SecureString, I can only presume .NET doesn't
have a way to do that.  Pity.

  Encrypting storage that a program has to use contemporaneously is --
as was noted on this list recently -- generally pointless, as the
program has to keep the decrypt key around cleartext in the same
storage.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Powershell SecureString parameters

2012-04-06 Thread Joseph L. Casale 
Yeah, in the meantime for testing I am simply calling the script with a 
-Password $(ConvertTo-SecureString "..." -AsPlainText -Force)

Ugly, but for testing its fine...

Thanks!
jlc

From: Steve Kradel [skra...@zetetic.net]
Sent: Friday, April 06, 2012 3:27 PM
To: NT System Admin Issues
Subject: Re: Powershell SecureString parameters

Feed in the characters to SecureString one at a time (string is an
IEnumerable of char)... the design reason for this is that the entire
string should not exist in managed memory at any point, or else there
will be non-secure copies floating around.

In practice, it is very difficult *not* to have the string in
cleartext unless you're prompting the user for char-level interactive
input, while being careful not to call any methods that would read
that input as a string.

I think MBS had a blog post about this specific to Powershell not too long ago.

--Steve

2012/4/6 Joseph L. Casale :
> When you define a parameter as a secure string it becomes available like any
> cmdlet to specify during invocation not just after.
>
> In the scenarios like testing where security is not a concern, how do you
> craft the parameter such that it can take plaint text input and encrypt like
> `ConvertTo-SecureString "some_pass" -AsPlainText -Force`
>
> Thanks!
> jlc
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Powershell SecureString parameters

2012-04-06 Thread Steve Kradel 
Feed in the characters to SecureString one at a time (string is an
IEnumerable of char)... the design reason for this is that the entire
string should not exist in managed memory at any point, or else there
will be non-secure copies floating around.

In practice, it is very difficult *not* to have the string in
cleartext unless you're prompting the user for char-level interactive
input, while being careful not to call any methods that would read
that input as a string.

I think MBS had a blog post about this specific to Powershell not too long ago.

--Steve

2012/4/6 Joseph L. Casale :
> When you define a parameter as a secure string it becomes available like any
> cmdlet to specify during invocation not just after.
>
> In the scenarios like testing where security is not a concern, how do you
> craft the parameter such that it can take plaint text input and encrypt like
> `ConvertTo-SecureString "some_pass" -AsPlainText -Force`
>
> Thanks!
> jlc
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin