存储自动电子邮件脚本的帐户凭据(尤其是密码)的最佳方法是什么? [英] What is the best way to store account credentials (especially password) for an automated email script?
问题描述
我正在编写一个简单的脚本(Windows Powershell)来发送自动电子邮件.计算机将始终处于运行状态,以收集数据,然后定期发送电子邮件.发送电子邮件的一部分显然是在收集凭据,并且由于它是自动的,因此我们无法每次都让有人在那里输入用户名和密码.显而易见的解决方案是仅将信息存储在$ user和$ pass vars脚本中,但这对我来说似乎非常不安全,并且容易受到攻击.有没有更好的方法可以做到这一点?也许使用用户地址设置一次安全的电子邮件连接,而不必再次输入?我是Powershell的新手,所以我不太清楚执行此操作的最佳方法.目前我正在做的是:
I am writing a simple script (windows powershell) to send automated emails. A computer will be running at all times collecting data and then sending emails at regular intervals. Part of sending an email obviously is collecting credentials, and since its automated we cant have somebody there everytime to enter the user and password. The obvious solution is to just store info in $user and $pass vars in the script but this seems horribly unsafe to me, and prone to attacks. Is there any better way to do this? Maybe setup a secure email connection once with the user address and not have to enter it in again? I am new to powershell so im not really clear on the best ways to do this. Currently what I am doing is:
$from = 'UserEmail@anotherEmail.com'
$to = 'someEmail@SomeMail.com'
$smtpServer = 'smtp-mail.outlook.com'
$smtpPort = '587'
$mailSubject = 'PowerShell Script Email Test'
$password = 'p@ssword'
$mailBody = 'body text'
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $from, $($password | ConvertTo-SecureString -AsPlainText -Force)
Send-MailMessage -To "$to" -From "$from" -Subject $mailSubject -SmtpServer $smtpServer -UseSsl -Credential $credentials -BodyAsHtml -Body $mailBody
任何建议或文档阅读将不胜感激
Any advice or documentation to read would be much appreciated
推荐答案
You may want to investigate the Protect-CMSMessage cmdlet, which allows you to encrypt/decrypt data using public key cryptography so that only users with the correct certificate would be able to decrypt the password.
如果这看起来有些矫kill过正,那么另一种更容易但可能不太安全的选择是将凭据导出到XML,并在需要时将它们读回.
If that seems like overkill, another, easier but possibly less secure, option is to export the credentials to XML and read them back when required.
要创建文件,请执行以下操作:
To create the file, do this:
- 以脚本将以其身份运行的用户身份登录
- 执行此命令:
Get-Credential | Export-CliXml <path>\cred.xml - 出现提示时,输入要在脚本中使用的用户名/密码
生成的XML文件将安全存储用户名和密码,并且可以像这样读取:
The resulting XML file will have the username and password securely stored and can be read back like this:
$cred = Import-CliXml <path>\cred.xml
然后可以将$cred传递给任何具有-Credential参数的cmdlet.
You can then pass $cred to any cmdlet that has a -Credential parameter.
密码的加密方式只能由同一用户在同一台计算机上打开,因此,如果有人打开它,则将无法访问详细信息.显然,如果他们可以使用对其进行加密的用户身份登录(或说服该用户运行不良"脚本),则他们将有权访问详细信息,但是这样做非常安全.
The password is encrypted in such a way that it can only be opened by the same user on the same computer, so if someone else opens it they won't be able to access the details. Obviously, if they can log on as the user who encrypted it (or convince that user to run a 'bad' script), then they will have access to the details, but otherwise this is pretty secure.
第三个选项是在Windows中使用内置的凭据管理器.对于较旧的系统,这需要一些复杂的.NET互操作,但是幸运的是,一些好人已经为您完成了艰苦的工作:
A third option is to use the built-in Credential Manager in Windows. This needs some complicated .NET interop for older systems, but luckily some nice person has already done the hard work for you:
这在Windows 10中更容易一些:
This is a bit easier in Windows 10:
这篇关于存储自动电子邮件脚本的帐户凭据(尤其是密码)的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
