Context:
I'm trying to use a custom windows account for application pool, and enable Oracle OS authentication so that we would not have to store DB username and password in a config file.
Problem:
This setup works, however, I've noticed that I am able to 'recover' password using appcmd.exe. Is there a way to make sure someone with administrative and physical access cannot read the password in plain text?
This is a Windows 2016 machine, IIS 10. Password looks encrypted when looking into applicationHost.config file.
Following command shows the password:
%systemroot%\system32\inetsrv\appcmd.exe list apppool "ImoAppPool" /text:*
Related
How can I change the password of user azure in MySQL in App?
What I have tried so far:
There are two configuration files named MYSQLCONNSTR_localdb.txt and MYSQLCONNSTR_localdb.ini. I have changed the default password there, but nothing happened. Also, if I change the password using PHPMyAdmin, then I cannot login again to PHPMyAdmin (for reasons unknown to me) using the new credentials.
Quoting the doc:
Can I customize the database, username and password to be used?
Yes. The connection string is stored at
D:\home\data\mysql\MYSQLCONNSTR_localdb.txt. The application (such
as wordpress) reads from this file for what database, username and
password to use. This also applies to what to backup and restore
provided by Azure WebApps. If you want to customize the database,
username and password, after you have created a new database, add new
username or update password, simply modify
D:\home\data\mysql\MYSQLCONNSTR_localdb.ini, remove
D:\home\data\mysql\MYSQLCONNSTR_localdb.txt and restart the WebApps.
I have a server 2012 box running IIS. I am trying to change the admin password for the OS, but it is breaking permissions/access for IIS. I have since reverted back to the old password and all works. What do I need to change in addition to the OS to make the new password work for IIS sites?
Open IIS
Select Application Pools
right-click on your pool and select Advanced settings...
Edit the Identity setting with your credentials
For mine, I set the Custom Account. I have to update this every time I change my credentials.
Have you tried synchronizing the new passwork in IIS, in the sites thats don't work?
Check site credentials, specially if using a "specific user" (as opposed to pass-through authentication) at:
IIS console-->Click on site-->Click Basic Settings (on the Action panel)-->Connect As
There you can synchronize the password registered in IIS with the current user password, but take note that if this works, then something is wrong with your configuration since the logged on user (the admin as you mentioned) shouldn't be used to access site data/folders. It's way too risky!!
If you're using pass-through authentication, check the configuration of the application pool that the site is using, but I repeat: If changing/synchronicing the admin's passwork solves your problem, then you must have some bad configuration in place.
When I use the appcmd list appool <ApplicationPoolName> /text:* command, it shows me the application pool identity passwords in clear text. I am able to view the passwords in clear text using Get-WMIObject in PowerShell as well. This can be a serious security threat as a user with correct access credentials can easily view the passwords.
The Application Pool in IIS (v7.5) is configured using domain user account/password. In the applicationHost.config file, the password is encrypted using IISWASOnlyAesProvider encryption provider. Still, the password is shown in clear-text when I use any of the above two methods.
Is there any way to encrypt passwords in such a way that they are not shown in clear-text when I use the above two methods?
Unless something has changed, the answer is no. The principal is best stated by Raymond Chen:
'It's like saying that somebody's home windows are insecure because a burglar could get into the house by merely unlocking and opening the windows from the inside. (But if the burglar has to get inside in order to unlock the windows...)'.
The point in summary, is that anyone that can get to your IIS server or can execute a WMI command remotely against your server, or can execute a powershell command against your server has access.
They are assumed to be admins, and are assumed to be trusted, as occassionally admins would need to pull passwords for recovery purposes, or adding nodes to a shared pool if proper notes or password management wasn't done [mainly needed when doing basic authentication on a domain cluster needing shared passwords].
The passwords are only decrypted if you run appcmd as Administrator. If you run as a normal account, you get back the encrypted string.
This will be something like [enc:IISSomethingProvider:…:enc], just as you find it in applicationHost.config.
I need to implement the Win2k3 password validation policy. As my application resides on Win2k3 cane we validate the password directly with windows domain password by using LDAP. This is because application design does not want to store 8/more password entry into DB and validate new password against that. As Windows already does same thing and using LDAP we can lookup into windows server.
Can any one please let me know LDAP API to fulfill above requirement in VC++.
There is an API that Secure Ops, Novell's Identity Manager, and other products use to plugin to the password change functionality. (I do not know the API name, sorry).
It requires a password filter installed on each domain controller, since the only time it can catch the clear text password to try and do anything with it is when it is being changed, and it might be changed on any given DC at any moment in time.
When I setup IIS6 to develop projects locally I have to enable "Integrated Windows Authentication" under directory security in order for my CSS & Images to show up. (Note: I have double checked that network service has rights to all directories in my web application)
However this often causes my browser to prompt me for windows login username and password when I am running the application.
Is there anyway to get around entering a windows login password all the time ?
(I am using windows xp pro 64bit)
Maybe it is some problem with the kerberos authentication to your web site. Just disable it on your site. from the c:\Inetpub\AdminScripts directory run this command.
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"
Or change the authentication to anonymous. And make sure that the user in the directory security tab (IUSR_computername) has access to said directories. It is not the application pool user who access files and other resources.
Well it certainly is not as it's supposed to be!
You say you've double checked that Network Service has access to the directories. But with anonymous access, the account that needs access is the IUSR_[machinename] account. The account is specified under the Directory Security tab.
If all else fails, for local development you might as well grant everyone access to the directories.