IIS application pool identity account passwords shown in clear text

Question

When I use the appcmd list appool <ApplicationPoolName> /text:* command, it shows me the application pool identity passwords in clear text. I am able to view the passwords in clear text using Get-WMIObject in PowerShell as well. This can be a serious security threat as a user with correct access credentials can easily view the passwords.

The Application Pool in IIS (v7.5) is configured using domain user account/password. In the applicationHost.config file, the password is encrypted using IISWASOnlyAesProvider encryption provider. Still, the password is shown in clear-text when I use any of the above two methods.

Is there any way to encrypt passwords in such a way that they are not shown in clear-text when I use the above two methods?

Answer 1

Unless something has changed, the answer is no. The principal is best stated by Raymond Chen:

'It's like saying that somebody's home windows are insecure because a burglar could get into the house by merely unlocking and opening the windows from the inside. (But if the burglar has to get inside in order to unlock the windows...)'.

The point in summary, is that anyone that can get to your IIS server or can execute a WMI command remotely against your server, or can execute a powershell command against your server has access.

They are assumed to be admins, and are assumed to be trusted, as occassionally admins would need to pull passwords for recovery purposes, or adding nodes to a shared pool if proper notes or password management wasn't done [mainly needed when doing basic authentication on a domain cluster needing shared passwords].

Answer 2

The passwords are only decrypted if you run appcmd as Administrator. If you run as a normal account, you get back the encrypted string.

This will be something like [enc:IISSomethingProvider:…:enc], just as you find it in applicationHost.config.