[Guest Blogger] Securing data in PowerShell scripts (with v1 and v2 CTP)

[MarcoS]

Something that has come up quite a bit is people asking how they can possibly hide senstive information in their PowerGadgets files.  When you use the PowerGadgets Creator, your gadget is saved in a .pgf file extension which is basically XML formatted data.

Here's an example where I've extracted one particular section of the .pgf XML:

<Window>
<GadgetVersion>1</GadgetVersion>
<ValueFieldCount>1</ValueFieldCount>
<ValueField0>Latitude</ValueField0>
<Data>PowerGadgets.Commands.PowershellSource</Data>
<Data.PrevCommands>invoke-webservice -wsdl "http://www.webservicex.net/WeatherForecast.asmx?WSDL" -method "GetWeatherByZipCode" "80526"</Data.PrevCommands>
</Window>

(Yes, I'm calling the invoke-webservice cmdlet directly.  I could have produced different code depending on the options I chose in the Creator wizard.)

OK, in some situations, the gadget creator may have senstive information they may want to somewhat hide.  At least have the text scrambled somewhat so a regular user can't easily view the information in a text editor.

The PowerGadgets Quick Start Guide has information in digitally signing the .pgf files, but that only provides protection against tampering of the .pgf file.  The information, such as the command run, is not scrambled in any way.

For Windows PowerShell version 1.0:

Using this specific example, I wrote up a blog post HERE on how one can use some programming in C# to hide the invokation details.  Now, you might be able to just plugin your own details and follow the steps to the letter, but if you have more than one parameter, then that will change some of the C# programming as well.  Just post in the forums if you need any help compiling your own custom code.

For Windows PowerShell version 2 CTP:

(The above method for version 1.0 can also be used with the version 2 CTP.) 

In November 2007, the Windows PowerShell team released a Community Technology Preview of the next release of Windows PowerShell.  This early release provides something new called scriptcmdlets.  Basically, it is as if you can create your own cmdlets simply by creating PowerShell scripts.  Once the scriptcmdlet is loaded, it acts just like a real cmdlet (with some minor exceptions).

Scriptcmdlets alone, still doesn't resolve our problem, because to load the scriptcmdlet, you load a plain .ps1 script which is in plain text.  However, there is a product named PowerLocker which comes to the rescue.  PowerLocker can encrypt PowerShell scripts.  It does need to be loaded on all machines that may try to run encrypted scripts, but it comes in two versions: a commercial version (can lock/unlock any script), and a free/community version (can lock scripts up to 20 lines/unlock any script).

With the help of PowerLocker, you know have a script that can be passed around, either loaded manually or via the user's profile, and then once has that cmdlet available to use.

See my detailed example HERE.

There are some other for hiding information.  The important thing I was looking for in encrypting/hiding my parameters was that I wanted the result to ouput real .NET objects.  That's the important part to consider here.  Other methods that I tried would simply output simple text strings, which may be acceptable in some cases.

I may blog about these other methods briefly early in 2008.