Possible to retrieve password of current application pool - Inetserver

What about running the web app pool as a user that has Administrator
privileges?

Cheers
Ken

"Dylan Nicholson" <wizofaus@hotmail.com> wrote in message
news:1191510657.740308.102980@w3g2000hsg.googlegroups.com...
> Running as an administrator, I can retrieve the account password
> stored by IIS for any application pool (using the WAMUserPass
> property). But, unsurprisingly, an ASP.NET application running inside
> an application pool that is does not have administrator privileges
> can't even enumerate the list of application pools.
> I can access the application pool by hard-coding the name, but even
> then the WAMUserPass is an empty property value collection.
> This doesn't hugely surprise me, but it's somewhat frustrating - the
> reason I want access to this password is to schedule Windows Tasks
> with the same account, and for that I need the password. Seeing as
> the password has already been configured and stored by IIS, I want to
> avoid needing to configure and store it elsewhere too.
> Unless there's another way around this...
>

What about running the web app pool as a user that has Administrator
privileges?

Cheers
Ken

"Dylan Nicholson" <wizofaus@hotmail.com> wrote in message
news:1191510657.740308.102980@w3g2000hsg.googlegroups.com...
> Running as an administrator, I can retrieve the account password
> stored by IIS for any application pool (using the WAMUserPass
> property). But, unsurprisingly, an ASP.NET application running inside
> an application pool that is does not have administrator privileges
> can't even enumerate the list of application pools.
> I can access the application pool by hard-coding the name, but even
> then the WAMUserPass is an empty property value collection.
> This doesn't hugely surprise me, but it's somewhat frustrating - the
> reason I want access to this password is to schedule Windows Tasks
> with the same account, and for that I need the password. Seeing as
> the password has already been configured and stored by IIS, I want to
> avoid needing to configure and store it elsewhere too.
> Unless there's another way around this...
>

Hello,

Please see my answers inline


Dylan Nicholson wrote:

>Running as an administrator, I can retrieve the account password
>stored by IIS for any application pool (using the WAMUserPass
>property). But, unsurprisingly, an ASP.NET application running inside
>an application pool that is does not have administrator privileges
>can't even enumerate the list of application pools.

That is true, by default non-administrators cannot enumerate the list of
application pools.

>I can access the application pool by hard-coding the name, but even
>then the WAMUserPass is an empty property value collection.

That is also true. By default, non-administrators can access non-secure
properties, but not secure properties.

>This doesn't hugely surprise me, but it's somewhat frustrating - the
>reason I want access to this password is to schedule Windows Tasks
>with the same account, and for that I need the password. Seeing as
>the password has already been configured and stored by IIS, I want to
>avoid needing to configure and store it elsewhere too.
>Unless there's another way around this...

I would run the scheduled application with a special user that has been
setup specifically for this purpose. Then you can evaluate what
permissions are needed, and run the application with a locked-down user
account.

Hope this helps!


--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info

Hello,

Please see my answers inline


Dylan Nicholson wrote:

>Running as an administrator, I can retrieve the account password
>stored by IIS for any application pool (using the WAMUserPass
>property). But, unsurprisingly, an ASP.NET application running inside
>an application pool that is does not have administrator privileges
>can't even enumerate the list of application pools.

That is true, by default non-administrators cannot enumerate the list of
application pools.

>I can access the application pool by hard-coding the name, but even
>then the WAMUserPass is an empty property value collection.

That is also true. By default, non-administrators can access non-secure
properties, but not secure properties.

>This doesn't hugely surprise me, but it's somewhat frustrating - the
>reason I want access to this password is to schedule Windows Tasks
>with the same account, and for that I need the password. Seeing as
>the password has already been configured and stored by IIS, I want to
>avoid needing to configure and store it elsewhere too.
>Unless there's another way around this...

I would run the scheduled application with a special user that has been
setup specifically for this purpose. Then you can evaluate what
permissions are needed, and run the application with a locked-down user
account.

Hope this helps!


--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info

On Oct 5, 5:07 pm, "Ken Schaefer" <kenREM...@THISadOpenStatic.com>
wrote:
> What about running the web app pool as a user that has Administrator
> privileges?
>
Client insisted that this wasn't acceptable.

On Oct 5, 5:07 pm, "Ken Schaefer" <kenREM...@THISadOpenStatic.com>
wrote:
> What about running the web app pool as a user that has Administrator
> privileges?
>
Client insisted that this wasn't acceptable.

On Oct 6, 1:59 am, "Kristofer Gafvert" <kgafv...@NEWSilopia.com>
wrote:
> Hello,
>
> Please see my answers inline
>
> Dylan Nicholson wrote:
> >Running as an administrator, I can retrieve the account password
> >stored by IIS for any application pool (using the WAMUserPass
> >property). But, unsurprisingly, an ASP.NET application running inside
> >an application pool that is does not have administrator privileges
> >can't even enumerate the list of application pools.
>
> That is true, by default non-administrators cannot enumerate the list of
> application pools.
>
> >I can access the application pool by hard-coding the name, but even
> >then the WAMUserPass is an empty property value collection.
>
> That is also true. By default, non-administrators can access non-secure
> properties, but not secure properties.
>
> >This doesn't hugely surprise me, but it's somewhat frustrating - the
> >reason I want access to this password is to schedule Windows Tasks
> >with the same account, and for that I need the password. Seeing as
> >the password has already been configured and stored by IIS, I want to
> >avoid needing to configure and store it elsewhere too.
> >Unless there's another way around this...
>
> I would run the scheduled application with a special user that has been
> setup specifically for this purpose. Then you can evaluate what
> permissions are needed, and run the application with a locked-down user
> account.
>
The ASP.NET app has the same permission requirements as the scheduled
task - reading/writing to the same directory, accessing the same
database.
Anyway, how would that help, I'd still need to store a password.
Actually my current "solution" is for the password to be fixed via an
algorithm that uses static hard-coded information. Not happy with it
though.

On Oct 6, 1:59 am, "Kristofer Gafvert" <kgafv...@NEWSilopia.com>
wrote:
> Hello,
>
> Please see my answers inline
>
> Dylan Nicholson wrote:
> >Running as an administrator, I can retrieve the account password
> >stored by IIS for any application pool (using the WAMUserPass
> >property). But, unsurprisingly, an ASP.NET application running inside
> >an application pool that is does not have administrator privileges
> >can't even enumerate the list of application pools.
>
> That is true, by default non-administrators cannot enumerate the list of
> application pools.
>
> >I can access the application pool by hard-coding the name, but even
> >then the WAMUserPass is an empty property value collection.
>
> That is also true. By default, non-administrators can access non-secure
> properties, but not secure properties.
>
> >This doesn't hugely surprise me, but it's somewhat frustrating - the
> >reason I want access to this password is to schedule Windows Tasks
> >with the same account, and for that I need the password. Seeing as
> >the password has already been configured and stored by IIS, I want to
> >avoid needing to configure and store it elsewhere too.
> >Unless there's another way around this...
>
> I would run the scheduled application with a special user that has been
> setup specifically for this purpose. Then you can evaluate what
> permissions are needed, and run the application with a locked-down user
> account.
>
The ASP.NET app has the same permission requirements as the scheduled
task - reading/writing to the same directory, accessing the same
database.
Anyway, how would that help, I'd still need to store a password.
Actually my current "solution" is for the password to be fixed via an
algorithm that uses static hard-coded information. Not happy with it
though.

"Dylan Nicholson" <wizofaus@hotmail.com> wrote in message
news:1191753837.336887.274420@d55g2000hsg.googlegroups.com...
> On Oct 5, 5:07 pm, "Ken Schaefer" <kenREM...@THISadOpenStatic.com>
> wrote:
>> What about running the web app pool as a user that has Administrator
>> privileges?
>>
> Client insisted that this wasn't acceptable.

OK - use the DPAPI API available with Windows to store/retrieve the
password. That way you don't need to come up with your own secure storage
mechanism for passwords.

Cheers
Ken