Are you running your client tuner as a service?
No I am not.
If you have an Administrative account on the target machines, either a domain admin account, or some other account with administrative rights, you can use the runas.exe from Windows to launch the batch or .vbs with administrative rights.
And there is a way to encrypt the password for that account within the channel so that it is not visable to users or other people trying to open up the channel folder on an endpoint.
If you have such an account available on the endpoints, I can put a post together to show you how it is done.
Or is anyone else is interested in how to encrypt passwords strings within a channel, let me know and I'll try to put together an example of how this is done.
I would like to see how your encrypting the creds in a channel
We can use the domain account for the installation.Could you please let us know how to encrypt the password in the channel?
I may have gotten a little ahead of myself on answering this question. But here are some items that should be of help to you.
1. If you create a property in Marimba that ends with ‘.password’, Marimba will encrypt this property. This can be a Tuner or Channel property.
a. The Good:
b. The Bad: The decrypted string does appear within trans.txt file within the channel folder. (‘ch.#\data\trans.txt’) If anyone knows how to turn this off or stop it from recording it would help a lot.
c. This is the method that first came to mind when I responded to the thread. I had forgotten about the trans.txt file.
2. You can use a third party tool to encrypt then decrypt the string such as AutoIt. We created two AutoIt scripts to encrypt and decrypt a string. We then compiled these scripts into executables to prevent the casual user from browsing the encryption process.
a. AutoIt script to create encrypted phrase:
$input = GUICtrlCreateInput("Input",10,25,280,20)
$generate = GUICtrlCreateButton(" Generate ",10,50)
$output = GUICtrlCreateInput("Output",10,100,280,20)
$clipboard = GUICtrlCreateButton(" Copy To Clipboard ",10,125)
$msg = GUIGetMsg()
Case $msg = $clipboard
Case $msg = $generate
Until $msg = $GUI_EVENT_CLOSE
b. Then use an AutoIt script to decrypt the password and perform the function you want.
$Password = _StringEncrypt(0,$CMDLine,"3ncryp7Th1sS7r1ng",1)
ConsoleWrite("Password: " & $Password)
c. If you use AutoIt, be sure to read up on the security of using AutoIt. Some experts will tell you not to place your “passwords’ directly within the AutoIt script and rely purely on the AutoIt compile to protect your “password” or string. In this example you are not placing your “password” directly in the script, but you do have the encryption/decryption passphrase within the script and that is only two more hops away from someone prying on your “password”.
3. Something else you can do to protect yourself while using the methods mentioned above is to setup a temporary account with the rights needed to run the channel/batch/script. That way if you can turn off the “password” or even change it if need be. On the down side, if your channel/batch/script needs to be available for installations over a period of time, (Its not just a one shot deployment of the channel) you would need to keep this account enabled and not change the password.
4. Using all three of these methods may provide you with the functionality to get the job done and limit the issues with each method individually. If you were to use the AutoIt function to encrypt both the domain account ID and password, then send the encrypted information to the tuners as a tuner property ending with ‘.password’ (don’t use a property name that identifies the information). Then use another AutoIt .exe to decrypt the information and perform the function. You would avoid the Trans.txt issue because you have already encrypted the strings with AutoIt. And sending the User ID and Password as a tuner property would allow you to update and modify the account which is used by the channel. The only major hurdle that I can think of at this time, would be someone cracking open the AutoIt .exe file the looking into the Trans.txt and finding the correct obscurely named property and using those two pieces of information to crack the encryption.
But, if this is the type of thing you would need to do a lot. I would highly suggest looking into running your tuners as a service. You do not have to worry about admin privileges on an endpoint because you are running as ‘Local Service’ with admin rights. But also be aware that there is going to be a small learning curve to running channels from a service tuner.
I don’t know if editing a post will initiate an email notification but here is one to be sure. If it comes through twice, someone please let me know.