Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Get passwords out of batch files and scripts

Written by Thycotic Team

September 28th, 2012

Some editions of Secret Server have an Application Server API that can be used to get passwords out of your configuration files and scripts.  The idea is to authorize the application server to access Secret Server (this is done by installing the Secret Server Application Server API on the application server) – there is then a user account in Secret Server for the application server – this means you can then assign permissions for which Secrets it can access.

Here is an example of a batch file doing some FTP uploads with an FTP sync tool:

line01: @echo off
line02: echo —————————————-
line03: echo Uploading changes…
line04: echo —————————————-
line05: documents ftp://jsmith:passJgH47523@

Notice the embedded password in the file?  Not very secure or accountable.

Here are the steps to get rid of that embedded password:

  1. Create an Application Account user in Secret Server.
  2. Install the Secret Server Application Server API on the workstation or server where the script runs
    (the API is a jar file and the install is done from the command line …
    java -jar secretserver-jconsole.jar -i <username> <password> <URL to Secret Server>
    This will change the password on the Application Account to a random value and will lock the account usage to that machine.
  3. Create a new Secret in Secret Server with the password from the batch file.  Give the Application Account access through the permissions.
  4. Change the batch file to make the call to the API and use a variable for the password. (the 1587 is the secretid of the new Secret and “Password” is the field name)
    The value of the password is stored in the variable FieldValue which can be used in the FTP command using %FieldValue%.
  5. That’s it – no more embedded password!

line01: @echo off
line02: echo —————————————-
line03: echo Connecting to Secret Server API…
line04: echo —————————————-
line05: FOR /F “tokens=*” %%A IN (‘java -jar secretserver-jconsole.jar -s 1587 Password’) DO SET FieldValue=%%A
line06: echo —————————————-
line07: echo Uploading changes…
line08: echo —————————————-
line09: documents ftp://jsmith:%FieldValue%@

We could also look up the username “jsmith” from the same Secret instead of having it in the script too.

There are other benefits to getting the password out of the batch file:

  • The password can now be rotated by Secret Server on a schedule.
  • There is now a full audit trail in Secret Server for when this password is accessed and used.
  • The batch file can now be added to backups, source code control and documentation without fear of spreading the production password.

It is recommended that you lock down modification to the batch file on the server using ACLs in the operating system (to prevent batch file changes).  Ideally the server has limited access for users since it is a production environment anyway.

What other uses can you see for this technology?