RPA Auto log in security problem: passwords stored in the clear...
So, I'm configuring an RPA solution, and disable the screen locking, but there is a need for the bot to sign into the system on a specific domain. I know that there is a way to set up windows registry to cause an auto login with domain, id, and password. My infosec folks are indicating there is a security exposure as the password stored in the registry is in the clear. If anyone gets onto the machine, can open the registry and find all the credentials.
Is there another (preferred) way to log into the system in an auto-boot with password encrypted somehow.. Or other mitigation methods..?
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
Pega Robotics provides the Credential Store component to securely store credentials on the machine. It uses DPAPI encryption in addition to an additional layer. Just remember when you call GetCredentials, to right-click on the blue lines coming out and mark them as Sensitive so the contents do not get added to the RuntimeLog when enabled. That would essentially be storing them in the clear. You can also use the ASO component which has the same security. It won't log anything, however it does have the possibility of showing a UI where a user would need to intervene if the credentials were bad. For RPA projects, this is not a great idea since there really isn't a user present.
For logging in to a machine automatically there really isn't another way than to use the registry option you mentioned. Using VMs allows you to lock the host machine so that only those with access to the host can access the VMs. That is the line of defense that is normally employed.