为自动电子邮件脚本存储帐户凭据(尤其是密码)的最佳方法是什么? [英] What is the best way to store account credentials (especially password) for an automated email script?
问题描述
我正在编写一个简单的脚本(windows powershell)来自动发送电子邮件.计算机将始终运行,收集数据,然后定期发送电子邮件.发送电子邮件的一部分显然是收集凭据,并且由于它是自动化的,我们不能每次都有人在那里输入用户名和密码.显而易见的解决方案是在脚本中将信息存储在 $user 和 $pass vars 中,但这对我来说似乎非常不安全,并且容易受到攻击.有没有更好的方法来做到这一点?也许设置一次与用户地址的安全电子邮件连接,而不必再次输入?我是 powershell 的新手,所以我不太清楚执行此操作的最佳方法.目前我正在做的是:
I am writing a simple script (windows powershell) to send automated emails. A computer will be running at all times collecting data and then sending emails at regular intervals. Part of sending an email obviously is collecting credentials, and since its automated we cant have somebody there everytime to enter the user and password. The obvious solution is to just store info in $user and $pass vars in the script but this seems horribly unsafe to me, and prone to attacks. Is there any better way to do this? Maybe setup a secure email connection once with the user address and not have to enter it in again? I am new to powershell so im not really clear on the best ways to do this. Currently what I am doing is:
$from = 'UserEmail@anotherEmail.com'
$to = 'someEmail@SomeMail.com'
$smtpServer = 'smtp-mail.outlook.com'
$smtpPort = '587'
$mailSubject = 'PowerShell Script Email Test'
$password = 'p@ssword'
$mailBody = 'body text'
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $from, $($password | ConvertTo-SecureString -AsPlainText -Force)
Send-MailMessage -To "$to" -From "$from" -Subject $mailSubject -SmtpServer $smtpServer -UseSsl -Credential $credentials -BodyAsHtml -Body $mailBody
非常感谢任何建议或阅读文档
Any advice or documentation to read would be much appreciated
推荐答案
您可能想要调查 Protect-CMSMessage cmdlet,它允许您加密/解密数据 使用公钥加密,以便只有拥有正确证书的用户才能解密密码.
You may want to investigate the Protect-CMSMessage cmdlet, which allows you to encrypt/decrypt data using public key cryptography so that only users with the correct certificate would be able to decrypt the password.
如果这看起来有点矫枉过正,另一个更简单但可能不太安全的选项是将凭据导出到 XML 并在需要时读取它们.
If that seems like overkill, another, easier but possibly less secure, option is to export the credentials to XML and read them back when required.
要创建文件,请执行以下操作:
To create the file, do this:
- 以运行脚本的用户身份登录
- 执行此命令:
Get-Credential |导出-CliXmlcred.xml - 在提示时输入要在脚本中使用的用户名/密码
生成的 XML 文件将安全存储用户名和密码,并且可以像这样读回:
The resulting XML file will have the username and password securely stored and can be read back like this:
$cred = Import-CliXml <path>cred.xml
然后您可以将 $cred 传递给任何具有 -Credential 参数的 cmdlet.
You can then pass $cred to any cmdlet that has a -Credential parameter.
密码经过加密,只能由同一用户在同一台计算机上打开,因此如果其他人打开它,他们将无法访问详细信息.显然,如果他们可以以加密它的用户身份登录(或说服该用户运行坏"脚本),那么他们将可以访问详细信息,否则这是非常安全的.
The password is encrypted in such a way that it can only be opened by the same user on the same computer, so if someone else opens it they won't be able to access the details. Obviously, if they can log on as the user who encrypted it (or convince that user to run a 'bad' script), then they will have access to the details, but otherwise this is pretty secure.
第三个选项是使用 Windows 中的内置凭据管理器.对于较旧的系统,这需要一些复杂的 .NET 互操作,但幸运的是,一些好心人已经为您完成了艰苦的工作:
A third option is to use the built-in Credential Manager in Windows. This needs some complicated .NET interop for older systems, but luckily some nice person has already done the hard work for you:
这在 Windows 10 中要容易一些:
This is a bit easier in Windows 10:
这篇关于为自动电子邮件脚本存储帐户凭据(尤其是密码)的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
