Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IIS application pool identity account passwords shown in clear text

When I use the appcmd list appool <ApplicationPoolName> /text:* command, it shows me the application pool identity passwords in clear text. I am able to view the passwords in clear text using Get-WMIObject in PowerShell as well. This can be a serious security threat as a user with correct access credentials can easily view the passwords.

The Application Pool in IIS (v7.5) is configured using domain user account/password. In the applicationHost.config file, the password is encrypted using IISWASOnlyAesProvider encryption provider. Still, the password is shown in clear-text when I use any of the above two methods.

Is there any way to encrypt passwords in such a way that they are not shown in clear-text when I use the above two methods?

like image 839
Hardik Avatar asked May 23 '13 05:05

Hardik


People also ask

How do I change my application pool identity password?

Right-click on the application pool (EasiShare_SA) and select "Advanced Settings..." Navigate to Process Model> Identity> Click on the "MoreOptions" icon (three horizontal dots) Under Custom account > Click Select > Enter the new password in the "Password" and "Confirm Password" fields.

Where does IIS Store credentials?

The application pool credentials (and general settings) for IIS 7.5 are stored in %systemroot%\System32\Inetsrv\config\applicationHost.


2 Answers

Unless something has changed, the answer is no. The principal is best stated by Raymond Chen:

'It's like saying that somebody's home windows are insecure because a burglar could get into the house by merely unlocking and opening the windows from the inside. (But if the burglar has to get inside in order to unlock the windows...)'.

The point in summary, is that anyone that can get to your IIS server or can execute a WMI command remotely against your server, or can execute a powershell command against your server has access.

They are assumed to be admins, and are assumed to be trusted, as occassionally admins would need to pull passwords for recovery purposes, or adding nodes to a shared pool if proper notes or password management wasn't done [mainly needed when doing basic authentication on a domain cluster needing shared passwords].

like image 101
Nathan Daniels Avatar answered Sep 29 '22 02:09

Nathan Daniels


The passwords are only decrypted if you run appcmd as Administrator. If you run as a normal account, you get back the encrypted string.

This will be something like [enc:IISSomethingProvider:…:enc], just as you find it in applicationHost.config.

like image 42
Michael Avatar answered Sep 29 '22 04:09

Michael