3

I have created file share in azure and mapped it to Virtual Machine entitled VM_01.

I have used CmdKey command to persist the credentials.

  C:\>cmdkey /add:<yourstorageaccountname>.file.core.windows.net 
             /user:<yourstorageaccountname> 
             /pass:<YourStorageAccountKeyWhichEndsIn==>

I am able to see shared drives when I logging to the virtual machine, but when other administrators logging to the same machine they do not see and access the shared drives!!

After spending time on internet, I found that The credentials persisted by CmdKey are available to the user who ran “CmdKey”. https://blogs.msdn.microsoft.com/windowsazurestorage/2014/05/26/persisting-connections-to-microsoft-azure-files/

So solution suggested was to use runas command and then use CmdKey command as follow

   runas /user:<username> cmd.exe // This will open the command window

But, I have 100 of users!!! Do I have to run the bove command 100 times with different user names :( Do we have any alternative solutions?

Extract from MSDN but I am not getting what does it means!

If you create a new local user on your VM, and add that user to the administrators group, then you can run commands for that user in both elevated and non-elevated contexts. Connections are not shared between elevated and non-elevated contexts, so you may want to connect separately in each context by executing “net use”. However, the persisted credentials are shared, so you only need to run “CmdKey” in one of the contexts.

kudlatiger
  • 351
  • 2
  • 5
  • 18

2 Answers2

1

The obvious way is to run a login script (either GPO or local policy) to map the drive. Obviously the downside to this is that your storage credentials will be stored in plain text in the login script, you can do some encryption with PowerShell or similar but this still doesn't stop someone walking away with the login script and using it elsewhere. Which I suspect may be why you are using cmdkey. As far as I know there is no way to add credentials via cmdkey without having the credentials stored in a file somewhere to then be used by a script.

This is one of the reasons why I've found Azure files to be less useful than it first appeared.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • @codetoshare no problem, just remember anyone who uses that login script can also go and get the file and read the credentials, allowing them to connect from other locations or take them with them if they leave the company. – Sam Cogan Apr 22 '16 at 11:00
  • sounds scary! then what else is solution? – kudlatiger Apr 22 '16 at 11:04
  • That's the problem, there isn't really one at the moment. From my view Azure files isn't really useful for mapped drives until NTFS permissions are implemented(if they are). – Sam Cogan Apr 22 '16 at 11:05
  • Hey just found that mapping will not work if hacker or stealer is not having same azure subscription. it will internally validated on storage account! – kudlatiger Apr 22 '16 at 11:06
  • 1
    Afraid not, if the user has you storage account name and the key they can get access to your storage account, they do not need rights on your subscription. – Sam Cogan Apr 22 '16 at 11:07
  • But where they will run my script? It will not work on their virtual machine because their VM belongs to different storage account. – kudlatiger Apr 22 '16 at 11:08
  • 1
    Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/38727/discussion-between-sam-and-codetoshare). – Sam Cogan Apr 22 '16 at 11:08
1

Solved it!

I wrote a batch file and added it to windows start up folder.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Batch file content

   @echo off
   net use * /delete /yes

   cmdkey /add:<yourstorageaccountname>.file.core.windows.net 
         /user:<yourstorageaccountname> 
         /pass:<YourStorageAccountKey>

   net use X: \\saspr.file.core.windows.net\myfilesharename

Now anyone who logs in can see my mapped drives!

But as Sam explained, please think about downside!!

kudlatiger
  • 351
  • 2
  • 5
  • 18