A few questions regarding scripting:
- Are scripts pushed through KACE K1000 stored somewhere on the machine or only in memory for the time it runs?
- Are they pushed over the network in a secure fashion? i.e: TLS
- How does the community deal with securely storing domain credentials needed by a powershell script when the script it pushed by KACE K1000?
I wrote a powershell script to verify if the current machine name follows a certain convention, and if not, to update it to follow our naming convention. However, I obviously don't want an end-user to be able to get a hold of the credentials since these credentials would be domain credentials. I'm thinking there's probably a better option than to give the script domain admin credentials (i.e.: I'm hoping there's a permission which would give the account access to change computer names in the domain and not much else) and of course, if such a privilege exists, I'll be sure to use it (as opposed to domain admin). That being said, regardless of how limited the powers of the account might be, I still don't want end-users to get a hold of the credentials.
Answer Chosen by the Author
As far as I know, the BAT files or Power Scripts are pushed to the workstation, .BAT or .PS, then the KACE Agent will open them via CMD using your desired credentials.
(or a SYSTEM level account).
So I would say if password security is a concern... DO NOT add your passwords to the Scripts, if you need them because you are using a NET USE command.... then.... well anyone tech savvy enough can get the password from \ProgramData\Quest\KACE\kbos_cache\package\ID_OF_Script\ that folder will have all the dependencies that script needs, including your BAT File.
You can add another task to delete all dependencies manually once everything is fine... but that doesn't mean someone could pay attention to that folder, and grab your BAT file as soon as it's copied there... or plug the network cord, or enable Airplane mode as soon as the BAT file appears, then right click Open with Notepad
You can use the credential manager and Run a Script AS Certain User... that way it will not appear there.
Anyway let's see what others say
Community Chosen Answer
I use AutoIT to compile to an exe when I need to pass a password in a task to a target device to keep it from being read.