A few questions regarding scripting:
- Are scripts pushed through KACE K1000 stored somewhere on the machine or only in memory for the time it runs?
- Are they pushed over the network in a secure fashion? i.e: TLS
- How does the community deal with securely storing domain credentials needed by a powershell script when the script it pushed by KACE K1000?
I wrote a powershell script to verify if the current machine name follows a certain convention, and if not, to update it to follow our naming convention. However, I obviously don't want an end-user to be able to get a hold of the credentials since these credentials would be domain credentials. I'm thinking there's probably a better option than to give the script domain admin credentials (i.e.: I'm hoping there's a permission which would give the account access to change computer names in the domain and not much else) and of course, if such a privilege exists, I'll be sure to use it (as opposed to domain admin). That being said, regardless of how limited the powers of the account might be, I still don't want end-users to get a hold of the credentials.
As far as I know, the BAT files or Power Scripts are pushed to the workstation, .BAT or .PS, then the KACE Agent will open them via CMD using your desired credentials.
(or a SYSTEM level account).
So I would say if password security is a concern... DO NOT add your passwords to the Scripts, if you need them because you are using a NET USE command.... then.... well anyone tech savvy enough can get the password from \ProgramData\Quest\KACE\kbos_cache\package\ID_OF_Script\ that folder will have all the dependencies that script needs, including your BAT File.
You can add another task to delete all dependencies manually once everything is fine... but that doesn't mean someone could pay attention to that folder, and grab your BAT file as soon as it's copied there... or plug the network cord, or enable Airplane mode as soon as the BAT file appears, then right click Open with Notepad
You can use the credential manager and Run a Script AS Certain User... that way it will not appear there.
Anyway let's see what others say
As @Channeler said, KACE can run a script as a specific user. We have a domain account specifically for this purpose. It has been configured via Group Policy to be able to login to workstations with local admin privileges, but is explicitly blocked from things like Remote Desktop, remote PowerShell, Log On As Service, etc. It has just enough access to do what we need when running as SYSTEM doesn't work. You could do something similar and delegate the Active Directory privilege of changing a computer name.