I’ve been struggling with something for quite some time now. The boss wants a directory in our fileserver, that he will put program installation files in, all can read and only he can modify.
He wants client workstations to have a script that reads the directory and shows the user what files are there. Then the user, which is a normal domain user (without the ability to install anything), would be able to click install and it would install it.
The idea behind it is to have local admin at the user's station and have the script know the local admin's password and then install the program on the user's computer with those local admin credentials.
This is a very problematic issue because I cannot see how I can secure it without storing the local admin password inside the script, which is a very bad thing.
I tried to think about encrypting the password somehow and converting the script to an executable, but I cannot see a way that a user that knows a little bit about computers wouldn’t be able to decompile the executable. If I use PowerShell encryption, it would be suited for one machine and one user only.
Then I thought of another way: making a call from the client workstation to the filer and then making the filer use psexec back to the user, but this is getting too spaghetti.
Then I thought about making a call from the user's computer to the filer and then from the filer back to the user using invoke-command, but I need to allow WinRM to all the clients.
I'm using PowerShell for this. Maybe someone here has done something similar and can advise me on how to do that securely.
The first option worked great, so I would like to stick with it if possible, but I have to figure out how to secure this thing and not just put credentials in a PowerShell script that sits on the user's computer.