Link to home
Start Free TrialLog in
Avatar of joukiejouk
joukiejouk

asked on

Unable to encrypt a .bat file.

I have a bat file that I want to encrypt because it has my domain username and password hard coded into it. I tried to encrypt it but I keep getting the following error.

User generated image
What other methods can I try to keep this script protected and encrypted and to prevent other admins or hackers from viewing my credentials in the bat file?
ASKER CERTIFIED SOLUTION
Avatar of Steve Knight
Steve Knight
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of joukiejouk
joukiejouk

ASKER

If I use the method you indicated, how would I modify my script/bat file if I want to remove my domain credentials? Here is a a screenshot of how my script is currently set.

User generated image
Hi.

Don't get me wrong, this is meant helpful, but the method you are looking at is plain wrong.
"other admins ort hackers" cannot be used in the same sentence. Other admins already have full control over your computer, they can do whatever they like to get hold of every file or keystroke you produce any time they like. It is not possible to lock those out unless you take their administrative rights.
Prying eyes or hackers however should not even be allowed to logon to your pc and even if they have a logon account - unless it is an administrative account, they cannot interfere with your account at all, there's simply no need to encrypt your files.
Then again, if we take it to the max, you would need to encrypt your whole machine, not only one file. Everything else but whole disk encryption is a security misconception if we look at it carefully. That is, because anyone that has physical access to your (non-encrypted) hard drive could modify your user profile, inject keyloggers and have viruses harvest all your goods.

So please think twice: what is your goal, what are you afraid of? Why would a single-file-encryption of any kind be of any help?
Another thing... if you are concerned enough to need a file password inaccessible then surely you should require it changed periodically.

Also if you are going to protect running the batch wanting a password say then you might aswell have it prompt for the real admin password.

Just to get a feel for what is needed, who needs to run this, is it unattended, e.g. scheduled or a handy icon for someone else to click on their desktop, or for your use with a non-admin account for instance.

Will answer your other q's about script when not getting kids to bed!

Steve
Basically I have this script setup to work with a scheduled task to reboot machines daily. The script currently use my domain admin account to run, and he scheduled task is set to use my domain admin account as well. I want to use a service account instead to initiate this scheduled task. In order to get this service account created, I must get this request approved by my IT Security Dept. They are asking me the following:

"How do we protect the script? Will it be encrypted? Where will it be located, and how do we plan to restrict access to that location?"

i guess my security department are just doing their job by asking all these questions. i am just trying to justify using a service account rather than my domain account to have the scheduled task run daily.  In viewing my script, what edits do I have to make to have the script run properly without having my credentials in there? The service account (when approved) will be used to initiate the script at a scheduled time.
Scheduling a shutdown needs no password. Deploy a task that uses the system account instead.
This is for remote machines. I have this script set on a service that reboot 500 machines.  The script you see above is just a sample that I attached.
Correction: This is for remote machines. I have this script set on a server that reboot 500 machines once a day.  The script you see above is just a sample that I attached.
In which case you need a domain or local account that you run the script / shutdown command task as the user it runs at IMO.

Options I would suggest are:

1. Run the script on one machine and restart the others remotely.
2. Schedule it to run on each machine

For #1 or #2 if you run the script with suitable credentials applied to the scheduled task then, and you can use shutdown built in command, no need for psshutdown:

shutdown /m \\otherpc /r /c "Scheduled restart"

That would reboot with a 30 second delay by default, shutdown -? shows you the other options.

You could soon get a bit fancier and add logging, PING the machine before to check it is up, wait until it PING's again afterwards etc.  All depends what you need to do.

Steve
I crossed with your posts there, in which case I assume you have some sort of text file of all the machines to reboot etc.

Have you considered configuring individual scheduled tasks on the machines instead, pushed down through GPO etc.

Steve
I agree on that it should work with the single scheduled task, running as domain admin, not containing credentials and using shutdown. If you want to do that with a single script, this is the way to go.
However, I also agree that it is usually better to set up reboot tasks on each server. It allows for better control over the exact time to reboot.
Can you advise please whether this solved your problem and why you have given a poor "C" grade with no feedback?

thanks

Steve
Thankyou.

Steve