IIS: Encrypting AppPool Identity Passwords

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Derek Ardolf Derek Ardolf 2 years, 1 month ago.

  • Author
    Posts
  • #20364
    Profile photo of Derek Ardolf
    Derek Ardolf
    Participant

    I have run into an issue when scripting AppPool identity passwords.

    If I go through the GUI, with IIS Manager, and set the identity/password (under ProcessModel) for an AppPool — the prompt seems to show that the password you are entering is encrypted.
    When I import the WebAdministration Module, and dive into the IIS PSDrive, I find that the password is sitting in clear text.

    Each example I find online that talks about setting this password is using the Set-ItemProperty command, which sets the password in plain text. I'm not sure how to work around this? TechNet documentation says that you should use the IIS Manager or AppCmd.exe to set it encrypted.

    Any help here would be appreciated. I am using IIS v8.

    # Using Set-ItemProperty to set the password
    $POSHSrvAcct = Get-Credential
    $NewWebsite = @{'SiteName'="poshtest.posh.com"
                                   'ServiceAccount'=$POSHSrvAcct.UserName
                                   'Password'=$POSHSrvAcct.GetNetworkCredential().Password} 
     
    Set-ItemProperty -Path "IIS:\AppPools\$($NewWebSite.SiteName)" -Name ProcessModel -Value @{
        'identityType'="SpecificUser"
        'userName'=$NewWebsite.ServiceAccount
        'password'=$NewWebsite.Password
    }
    
    # Retrieve password; Shows plain text actual password, regardless of using IIS Manager or not
    (Get-ItemProperty "IIS:\AppPools\$($NewWebSite.SiteName)" -Name ProcessModel).Password
    
  • #20365
    Profile photo of Derek Ardolf
    Derek Ardolf
    Participant

    Side note:

    I'm trying to see if it is possible to avoid someone being able to run this command:

    (ls IIS:\AppPools | Get-ItemProperty -Include ProcessModel).ProcessModel | select UserName,Password
    

    And now have all service accounts associated with web apppools, along with their plain-text passwords.

  • #20385
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Derek,

    I think you've discovered a feature. The password is stored encrypted in the applicationHost.config via Set-ItemProperty but Get-Item/Get-ItemProperty show it decrypted regardless if the password was set via IIS Manager, AppCmd or PowerShell. I'm not aware of a way to prevent this because if you're an Administrator of a machine you own the machine anyway and can decrypt local passwords.

  • #20392
    Profile photo of Derek Ardolf
    Derek Ardolf
    Participant

    I had a feeling this was the case. I had seen the same results regarding the manager, AppCmd, and PowerShell and thought maybe I was doing something wrong.
    I wasn't aware that there was a 'feature' that would allow for the decryption of passwords like that until yesterday.

    I guess that means I can automate the service accounts attached to new AppPools of future IIS server builds that use the same accounts haha

    You has all the keys:

    # Computer that has IIS identity/passwords to pull
    $SourceComputerName = "WebServer01"
    
    # Pull all websites, and thus pull all nested usernames and passwords (if any)
    $AppPoolInfo = Invoke-Command -ComputerName $SourceComputerName -ScriptBlock {
      Import-Module WebAdministration
      ls IIS:\AppPools | Get-ItemProperty
    }
    
    foreach ($NewWebSiteName in $NewWebSites) {
      $WebAppPool = ($AppPoolInfo | where {$_.Name -like "$NewWebsiteName"}).ProcessModel
      $null = Set-ItemProperty -Path "IIS:\AppPools\$NewWebSiteName" -Name ProcessModel -Value @{
        'identityType'="SpecificUser"
        'userName'=$WebAppPool.UserName
        'password'=$WebAppPool.Password
      }
      Clear-Variable WebAppPool
    }
    
    # List all usernames/passwords
    # $AppPoolInfo.ProcessModel | select UserName,Password
    
    

You must be logged in to reply to this topic.