How secure are Logon Script parameters passed to a script in Active Directory?
Posted on 2010-08-30
Hi all, I'm hoping someone with some intricate knowledge of Activity Directory could provide some advice. My knowledge of it doesn't really extend to the security side of things. I write VBScripts quite regularly to perform tasks at Logon. Sometimes I have certain passwords in the script, for database connections, or limited install privileges, etc. I have used the Microsoft Script Encoder to obfuscate these in the past, but I know that the obfuscated code can be reversed relatively easily by anyone determined enough. I have also used tools to convert the VBS to an EXE, which seems to be the best current solution for me. When I trace the EXE with process explorer, I cannot see any hint of the raw VBS, so I'm happy with that (although I don't know for certain this EXE cannot be decompiled by anything).
My question is, if in my script I were to use
strPassword = WScript.Arguments.Item(0)
to obtain the password from the Parameters section of a Logon Script assigned by Group Policy, it is secure enough that it can't be "sniffed out" very easily? I understand that it would be passed in plain text, but the password is not directly exposed to any user.
Any advice would be appreciated.