如何解决Powershell 5. SecureString解密,可最大程度地减少内存时间
我有一个使用openssl.exe查看私钥文件的脚本。但是,这个问题与对外部程序的任何调用有关。
通过读取主机-assecurestring请求密码。
securestring类型不能传递给openssl.exe命令。我需要将其解密为纯字符串,然后将该字符串传递给openssl.exe
是否可以最大程度地减少字符串在内存中为纯文本的时间? 请注意,我们在Powershell 5上。PS 7功能对我们不可用。
我看到了两种方法:
#Decrypt the securestring to a variable.
#Create and remove that variable as soon as possible.
$securePass = Read-Host("Please enter a password") -assecurestring
$plainPass = [Net.NetworkCredential]::new('',$securePass).password
#Note there are many ways to perform the above step. If the 'Marshal method' is better,let me kNow.
./openssl.exe rsa -in user.key -passin pass:$plainpass
Remove-Variable $plainPass
#Decrypt the securestring in the call to openssl.
#Hope Powershell's garbage collection removes the String object as soon as the command is issued.
$securePass = Read-Host("Please enter a password") -assecurestring
./openssl.exe rsa -in user.key -passin pass:$([Net.NetworkCredential]::new('',$securePass).password)
- 其中一种方法比另一种更好吗?
- 鉴于脚本非常快速,并且String从未写入文件,甚至使用securestring还是一个问题吗?
- 我是否使用字符串破坏了安全性最佳实践,而不管它存在的时间有多短?
解决方法
无论如何都在提示,为什么不只使用Get-Credential还是Read-Host?
$Creds = Get-Credential -Credential "$env:USERDOMAIN\$env:USERNAME"
$Creds.UserName
$Creds.Password
$Creds.GetNetworkCredential().Password
# Results
<#
lab01\postanote
System.Security.SecureString
!SomeSuperSecretPassword1
#>
Microsoft的实践:Working with Passwords,Secure Strings,and Credentials in Windows PowerShell
您应该始终在自己身后清理。 不要等待系统执行此操作。
这是我在课堂,讲习班/参与中给予他人的一种建议方式。
# Collect all automatic and default loaded resources,put this at the top of your script
$AutomaticVariables = Get-Variable
$AutomaticAndProfileLoadedVModules = Get-Module
$AutomaticLoadedFunctions = Get-Command -CommandType Function
# Run this as the last items in your script
Function Clear-ResourceEnvironment
{
[CmdletBinding(SupportsShouldProcess)]
[Alias('cre')]
Param
(
[switch]$AdminCredStore
)
# Clear instantiate reasource interop
$null = [System.Runtime.InteropServices.Marshal]::
ReleaseComObject([System.__ComObject]$Shell)
# instantiate .Net garbage collection
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()
# Clear all PSSessions
Get-PSSession |
Remove-PSSession -ErrorAction SilentlyContinue
# Clear static credential store,if switch is used
If ($AdminCredStore)
{Remove-Item -Path "$env:USERPROFILE\Documents\AdminCredSet.xml" -Force}
Else
{
Write-Warning -Message "
`n`t`tYou decided not to delete the custom Admin credential store.
This store is only valid for this host and and user $env:USERNAME"
}
Write-Warning -Message "
`n`t`tRemoving the displayed session specific variable and module objects"
# Clear only variables created / used during the session
Compare-Object -ReferenceObject (Get-Variable) -DifferenceObject $AutomaticVariables -Property Name -PassThru |
Where -Property Name -ne 'AutomaticVariables' |
Remove-Variable -Verbose -Force -Scope 'global' -ErrorAction SilentlyContinue
Remove-Variable -Name AdminCredStore -Verbose -Force
# Clear only modules loaded during the session
Compare-Object -ReferenceObject (Get-Module) -DifferenceObject $AutomaticAndProfileLoadedVModules -Property Name -PassThru |
Where -Property Name -ne 'AutomaticAndProfileLoadedVModules' |
Remove-Module -Force -ErrorAction SilentlyContinue
# Clear only functions loaded during the session
Compare-Object -ReferenceObject (Get-Command -CommandType Function) -DifferenceObject $AutomaticLoadedFunctions -Property Name -PassThru |
Where -Property Name -ne 'AutomaticLoadedFunctions' |
Remove-Item -Force -ErrorAction SilentlyContinue
}
要点:
当您使用解密将文本加密时,如果可以嗅探您正在做的事情就成为一个问题。因此,谚语,保护频道安全,保护数据安全,或两者都适用。
此外,如果有任何实际的日志记录(SEIM工具,PowerShell审核,成绩单),则无论您如何从RAM中清除日志,除非您记得清除该条目,否则所有日志都将记录在日志中。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。