tag:blogger.com,1999:blog-5481362113346536696.post6737546390841165383..comments2024-03-28T07:30:45.151+00:00Comments on Musings on Information Technology - A view from the trenches: IIS App Pool Credentials Exposedmanyrootsofallevilhttp://www.blogger.com/profile/06007797472443678538noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-5481362113346536696.post-13969866841754744482015-10-12T18:14:58.936+01:002015-10-12T18:14:58.936+01:00The point I was trying to make is that the passwor...The point I was trying to make is that the passwords are stored in clear text, which they should not be.manyrootsofallevilhttps://www.blogger.com/profile/06007797472443678538noreply@blogger.comtag:blogger.com,1999:blog-5481362113346536696.post-34020359041084982992015-10-11T18:14:04.675+01:002015-10-11T18:14:04.675+01:00poor understanding of practical security...
1. of...poor understanding of practical security...<br /><br />1. of course the encrypted password is stored, it'd need to be for the service to start... and encryption algorithms are pretty standard, so really it doesn't make MUCH diff seeing it encrypted vs decrypted, since the former is simply a few lines of code away from being decrypted.<br /><br />2. you said you were local admin, so of course you'd have ACCESS to the stored password. As Raymond Chen writes, "It rather involved being on the other side of the airtight hatchway" (see http://blogs.msdn.com/b/oldnewthing/archive/2006/05/08/592350.aspx and many others). Just as you have permission to CHANGE the account that it uses... or, since it's a local account, changing the password directly.<br /><br />3. Most of the time, the passwords are stored using DPAPI, which encrypts the data using a key that's based either on the local machine, or on the account. Which key you use depends on how you are securing the data. In this case, I'd bet on the machine (since the service configuration is local to the machine). DPAPI is a standard API meant for exactly this type of thing.<br /><br />4. Yes, you've ALWAYS been able to decrypt such passwords... windows service passwords, IIS app pool passwords... the list goes on...nothing new... want proof, just search for "password recovery".Scott Brickeyhttps://www.blogger.com/profile/10400574202153312047noreply@blogger.comtag:blogger.com,1999:blog-5481362113346536696.post-26581362635961899422015-10-11T17:55:14.322+01:002015-10-11T17:55:14.322+01:00If you're integrating with a another system gr...If you're integrating with a another system granting the app pool user access to that system seemed a better alternative than having to store the credentials somehow, but clearly this was predicated on the assumption that the app pool user credentials were safely stored, which clearly, they're not.manyrootsofallevilhttps://www.blogger.com/profile/06007797472443678538noreply@blogger.comtag:blogger.com,1999:blog-5481362113346536696.post-15737665486745927592015-10-11T13:02:57.808+01:002015-10-11T13:02:57.808+01:00Unfortunately this IIS 'feature' is there ...Unfortunately this IIS 'feature' is there since years, for sure saw already in IIS 6 (probably in each version)... Anonymoushttps://www.blogger.com/profile/12588400196989974038noreply@blogger.comtag:blogger.com,1999:blog-5481362113346536696.post-47503521101833025412015-10-11T11:53:56.146+01:002015-10-11T11:53:56.146+01:00Yes, you are correct; passwords should not be stor...Yes, you are correct; passwords should not be stored like this. But then again why would anyone set up an app pool to run with a personal account with admin privileges?Anonymoushttps://www.blogger.com/profile/00929594118750357226noreply@blogger.com