November 25, 2022 at 10:15 pm
Hi, I am new to Powershell script and i have to create a power shell script to get password for SQL service account
from CyberArk.. Could you please suggest how to do that ?
November 25, 2022 at 11:16 pm
I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.
--Jeff Moden
Change is inevitable... Change for the better is not.
November 25, 2022 at 11:39 pm
there is documentation for it - https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20and%20ASCP/Net-Application-Password-SDK.htm?tocpath=Developer%7CCredential%20Provider%7CApplication%20Password%20SDK%7C.NET%20Application%20Password%20SDK%7C_____0
as in powershell you can use any .net dll's its just a question of setting up a script to do it.
I may be able to provide the basis for one next few days.
but main issue here - except for a few rare exceptions a SQL Server instance should either run under a local account (for which you don't have a password at all) or under a MSA/GMSA - for which again you don't have passwords you can use/manage.
so if your setup is using a "normal" user as a service account you should be looking into replacing it instead of trying to automate getting and updating its password
November 25, 2022 at 11:44 pm
I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.
Cyberark if used properly would be more secure than having a DBA retrieving and resetting a SQL instance password (or any other password for that matter).
it can even rotate sql server credentials without intervention from a "human".
for highly privileged accounts (or even not so high) its possible to "force" the retrieval of such passwords only on a particular computer, with a specific IP, when executed by a certain application (using hash fingerprints of the application), by a certain user, and with the application on a certain folder.
November 26, 2022 at 12:08 am
Jeff Moden wrote:I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.
Cyberark if used properly would be more secure than having a DBA retrieving and resetting a SQL instance password (or any other password for that matter).
it can even rotate sql server credentials without intervention from a "human".
for highly privileged accounts (or even not so high) its possible to "force" the retrieval of such passwords only on a particular computer, with a specific IP, when executed by a certain application (using hash fingerprints of the application), by a certain user, and with the application on a certain folder.
Understood. My issue isn't so much with CyberArk... my issue would be with how someone uses it in Power Shell. The OP said he had to write some PoSh to "get password for SQL service account".
My first concern is why does anyone need the password for the SQL Service Account? IMHO, they simply don't need it. They should have an AD login to use.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 7, 2022 at 7:25 pm
frederico_fonseca wrote:Jeff Moden wrote:I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.
Cyberark if used properly would be more secure than having a DBA retrieving and resetting a SQL instance password (or any other password for that matter).
it can even rotate sql server credentials without intervention from a "human".
for highly privileged accounts (or even not so high) its possible to "force" the retrieval of such passwords only on a particular computer, with a specific IP, when executed by a certain application (using hash fingerprints of the application), by a certain user, and with the application on a certain folder.
Understood. My issue isn't so much with CyberArk... my issue would be with how someone uses it in Power Shell. The OP said he had to write some PoSh to "get password for SQL service account".
My first concern is why does anyone need the password for the SQL Service Account? IMHO, they simply don't need it. They should have an AD login to use.
We used CyberArk to store passwords at my former employer. We had a requirement to change the service ID passwords once a year, and had PowerShell scripts that would retrieve the old password from CyberArk, write the new password there, then change the password in AD. The PowerShell scripts ran under the context of another service ID that had permission to run the scripts. The old password was retrieved in case something failed during the updates.
CyberArk has all sorts of options for storing and retrieving passwords based on who you are, your permissions and such. One of the options is to require approval from some set of approvers before a password is released. It also handles split passwords, will login to an RDP session without the user seeing a password at all. If you have a need for that sort of application, CyberArk works well.
December 8, 2022 at 2:20 am
Jeff Moden wrote:frederico_fonseca wrote:Jeff Moden wrote:I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.
Cyberark if used properly would be more secure than having a DBA retrieving and resetting a SQL instance password (or any other password for that matter).
it can even rotate sql server credentials without intervention from a "human".
for highly privileged accounts (or even not so high) its possible to "force" the retrieval of such passwords only on a particular computer, with a specific IP, when executed by a certain application (using hash fingerprints of the application), by a certain user, and with the application on a certain folder.
Understood. My issue isn't so much with CyberArk... my issue would be with how someone uses it in Power Shell. The OP said he had to write some PoSh to "get password for SQL service account".
My first concern is why does anyone need the password for the SQL Service Account? IMHO, they simply don't need it. They should have an AD login to use.
We used CyberArk to store passwords at my former employer. We had a requirement to change the service ID passwords once a year, and had PowerShell scripts that would retrieve the old password from CyberArk, write the new password there, then change the password in AD. The PowerShell scripts ran under the context of another service ID that had permission to run the scripts. The old password was retrieved in case something failed during the updates.
CyberArk has all sorts of options for storing and retrieving passwords based on who you are, your permissions and such. One of the options is to require approval from some set of approvers before a password is released. It also handles split passwords, will login to an RDP session without the user seeing a password at all. If you have a need for that sort of application, CyberArk works well.
Alright... that sounds a safer than what I was envisioning. Thank you for the information.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply