I have a batch script on SERVER A that activates a scheduled task on SERVER B using the 'schtasks' command. This command requires a userrname and password to access the other server, but we don't want to store this data in plain text. Is there a way to save this password in a non-plain-text format? Even if the password is passed to the 'schtasks' command in plain text, that would be better than storing it in the batch script itself.
Asked
Active
Viewed 2,795 times
1
-
check this questuion-> http://stackoverflow.com/questions/25582295/xor-a-string-in-a-bat-file it's rahter obfuscation , but may be it will be ok for you. – npocmaka Sep 25 '14 at 21:43
-
you have not indicated your server versions. Can you use `cmdkey` command? – MC ND Sep 26 '14 at 06:27
-
We're using Windows 2008 R2 Service Pack 1. The cdmkey command only lists the usernames and servers that the machine has in their credential manager, but I don't see a way in the syntax definition to display or pass passwords to a batch script. – Vincent Vance Sep 29 '14 at 15:08
-
Also, thanks for the link, maka! I might end up using the certutil command if there's no way to directly pass a password to the batch script. – Vincent Vance Sep 29 '14 at 15:09
1 Answers
1
Couldn't you use Kerberos?
If you can't, try to give a look at this Different ways to store a password variable in a Java web application? option 3. You could use a key, and share the key to decrypt the credentials you need, but it is still poorly secured.
If you can use Kerberos, just check on SERVERB if the Kerberos token is one you allowed. It could be a local user on SERVERA or a domain user. For example, you start the 'SCRIPT.bat' through 'schtasks' as Script_User_A on SERVERA; Script_User_A is a domain user, with low privileges. SERVERB starts a challenge/response with SERVERA as soon as it receives any first request, asking Script_User_A to prove its identity. Script_User_A will do it, SERVERB is happy, and everything works. If Malicious_User tries to execute 'SCRIPT.bat', SERVERB will send a challenge that Malicious_User will not be able to "response", and SERVERB will know the 'SCRIPT.bat' is executed by someone else.
With Kerberos this challenge/response mechanism comes for free: you need to study the Microsoft TechNet and the API a bit, but it is worth the effort, especially if you are used to develop on Windows.
-
I'm not familiar with Kerberos. How does the challenge/response differ from a username and password other than the fact that you don't input the server password when using the batch? – Vincent Vance Sep 29 '14 at 17:08
-
1In a challenge-response, the password is never sent on the network. In Windows this is achieved having both the Domain Controller (aka the Kerberos core) knowing your Domain password, as well as your SERVER_A. This way when server_b wants to check if it is really server_a running that script, it needs only a challenge from server_a, a token. server_b will send this challenge to the DC (in kerberos everything blindly trusts the domain controller) and the DC replies "it is really server_a" or "no it is not". server_b does not rely on server_a to authenticate server_a, which is good. – sc0p Oct 03 '14 at 07:25