powershell - What is the best way to store account credentials (especially password) for an automated email script?

Question

I am writing a simple script (windows powershell) to send automated emails. A computer will be running at all times collecting data and then sending emails at regular intervals. Part of sending an email obviously is collecting credentials, and since its automated we cant have somebody there everytime to enter the user and password. The obvious solution is to just store info in $user and $pass vars in the script but this seems horribly unsafe to me, and prone to attacks. Is there any better way to do this? Maybe setup a secure email connection once with the user address and not have to enter it in again? I am new to powershell so im not really clear on the best ways to do this. Currently what I am doing is:

$from = '[email protected]'
$to = '[email protected]'
$smtpServer = 'smtp-mail.outlook.com'
$smtpPort = '587'
$mailSubject = 'PowerShell Script Email Test'
$password = 'p@ssword'
$mailBody = 'body text'
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $from, $($password | ConvertTo-SecureString -AsPlainText -Force)
Send-MailMessage -To "$to" -From "$from" -Subject $mailSubject -SmtpServer $smtpServer -UseSsl -Credential $credentials -BodyAsHtml -Body $mailBody

Any advice or documentation to read would be much appreciated

Answer 1

You may want to investigate the Protect-CMSMessage cmdlet, which allows you to encrypt/decrypt data using public key cryptography so that only users with the correct certificate would be able to decrypt the password.

If that seems like overkill, another, easier but possibly less secure, option is to export the credentials to XML and read them back when required.

To create the file, do this:

1. Log on as the user the script will be running as
2. Execute this command: Get-Credential | Export-CliXml <path>cred.xml
3. When prompted enter the username/password to be used in the script

The resulting XML file will have the username and password securely stored and can be read back like this:

$cred = Import-CliXml <path>cred.xml

You can then pass $cred to any cmdlet that has a -Credential parameter.

The password is encrypted in such a way that it can only be opened by the same user on the same computer, so if someone else opens it they won't be able to access the details. Obviously, if they can log on as the user who encrypted it (or convince that user to run a 'bad' script), then they will have access to the details, but otherwise this is pretty secure.

A third option is to use the built-in Credential Manager in Windows. This needs some complicated .NET interop for older systems, but luckily some nice person has already done the hard work for you:

PowerShell Credentials Manager

This is a bit easier in Windows 10:

PasswordVault Class