Ensure 'passwordFormat' is not set to clear (Scored)

Welcome Forums General PowerShell Q&A Ensure 'passwordFormat' is not set to clear (Scored)

This topic contains 2 replies, has 2 voices, and was last updated by

2 weeks, 1 day ago.

  • Author
  • #113129

    Points: 0
    Rank: Member


    I am currently working on PowerShell cmdlets to apply server hardening (more to IIS hardening) based on CIS benchmark framework.

    my task is to relate the hardening steps which is in GUI from to PowerShell cmd to able to automate the hardening processes.

    I need some help on this portion

    " Ensure 'passwordFormat' is not set to clear (Scored)"
    The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended that passwordFormat be set to a value other than Clear, such as SHA1.

    Authentication credentials should always be protected to reduce the risk of stolen authentication credentials.


    with all the information provided above, I tried to do up an automated script.

    thus, I had some difficulties locating machine.config file via PowerShell to configure the passwordFormat from clear to sha1.

    Really appreciate some help from those who have managed to do before to share some idea.

    Thank you @Ratty


  • #113132

    Points: 20
    Rank: Member

    Are you planning to change machine.config directly ?
    You should be using cmdlets(Set-WebConfigurationProperty) from WebAdministration module.

  • #113290

    Points: 0
    Rank: Member

    Hi kvparsoon,

    Thanks for the response.

    Yes, I am changing values within the machine.config file.

    Well, the real difficulty is I am trying to figure out what is the path.

    For Example,
    Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/basicAuthentication" -Name Enabled -Value True 

    This cmdlet above allows to enables and disable (need to change the value a little to disable)

    the basic authentications.



    I am looking for the filters that direct me to the preferences I will want to change.

    which will be changing the passwordFormat = Clear to PasswordFormat=Sha 1  in the machine.config file.


    looking forward to your knowledge sharing

    Thank you


You must be logged in to reply to this topic.