Possible to retrieve password of current application pool

Discussion in 'ASP .Net' started by Dylan Nicholson, Oct 4, 2007.

  1. Running as an administrator, I can retrieve the account password
    stored by IIS for any application pool (using the WAMUserPass
    property). But, unsurprisingly, an ASP.NET application running inside
    an application pool that is does not have administrator privileges
    can't even enumerate the list of application pools.
    I can access the application pool by hard-coding the name, but even
    then the WAMUserPass is an empty property value collection.
    This doesn't hugely surprise me, but it's somewhat frustrating - the
    reason I want access to this password is to schedule Windows Tasks
    with the same account, and for that I need the password. Seeing as
    the password has already been configured and stored by IIS, I want to
    avoid needing to configure and store it elsewhere too.
    Unless there's another way around this...
    Dylan Nicholson, Oct 4, 2007
    #1
    1. Advertising

  2. Dylan Nicholson

    Ken Schaefer Guest

    What about running the web app pool as a user that has Administrator
    privileges?

    Cheers
    Ken

    "Dylan Nicholson" <> wrote in message
    news:...
    > Running as an administrator, I can retrieve the account password
    > stored by IIS for any application pool (using the WAMUserPass
    > property). But, unsurprisingly, an ASP.NET application running inside
    > an application pool that is does not have administrator privileges
    > can't even enumerate the list of application pools.
    > I can access the application pool by hard-coding the name, but even
    > then the WAMUserPass is an empty property value collection.
    > This doesn't hugely surprise me, but it's somewhat frustrating - the
    > reason I want access to this password is to schedule Windows Tasks
    > with the same account, and for that I need the password. Seeing as
    > the password has already been configured and stored by IIS, I want to
    > avoid needing to configure and store it elsewhere too.
    > Unless there's another way around this...
    >
    Ken Schaefer, Oct 5, 2007
    #2
    1. Advertising

  3. Hello,

    Please see my answers inline


    Dylan Nicholson wrote:

    >Running as an administrator, I can retrieve the account password
    >stored by IIS for any application pool (using the WAMUserPass
    >property). But, unsurprisingly, an ASP.NET application running inside
    >an application pool that is does not have administrator privileges
    >can't even enumerate the list of application pools.


    That is true, by default non-administrators cannot enumerate the list of
    application pools.

    >I can access the application pool by hard-coding the name, but even
    >then the WAMUserPass is an empty property value collection.


    That is also true. By default, non-administrators can access non-secure
    properties, but not secure properties.

    >This doesn't hugely surprise me, but it's somewhat frustrating - the
    >reason I want access to this password is to schedule Windows Tasks
    >with the same account, and for that I need the password. Seeing as
    >the password has already been configured and stored by IIS, I want to
    >avoid needing to configure and store it elsewhere too.
    >Unless there's another way around this...


    I would run the scheduled application with a special user that has been
    setup specifically for this purpose. Then you can evaluate what
    permissions are needed, and run the application with a locked-down user
    account.

    Hope this helps!


    --
    Regards,
    Kristofer Gafvert
    http://www.gafvert.info/iis/ - IIS Related Info
    Kristofer Gafvert, Oct 5, 2007
    #3
  4. On Oct 5, 5:07 pm, "Ken Schaefer" <>
    wrote:
    > What about running the web app pool as a user that has Administrator
    > privileges?
    >

    Client insisted that this wasn't acceptable.
    Dylan Nicholson, Oct 7, 2007
    #4
  5. On Oct 6, 1:59 am, "Kristofer Gafvert" <>
    wrote:
    > Hello,
    >
    > Please see my answers inline
    >
    > Dylan Nicholson wrote:
    > >Running as an administrator, I can retrieve the account password
    > >stored by IIS for any application pool (using the WAMUserPass
    > >property). But, unsurprisingly, an ASP.NET application running inside
    > >an application pool that is does not have administrator privileges
    > >can't even enumerate the list of application pools.

    >
    > That is true, by default non-administrators cannot enumerate the list of
    > application pools.
    >
    > >I can access the application pool by hard-coding the name, but even
    > >then the WAMUserPass is an empty property value collection.

    >
    > That is also true. By default, non-administrators can access non-secure
    > properties, but not secure properties.
    >
    > >This doesn't hugely surprise me, but it's somewhat frustrating - the
    > >reason I want access to this password is to schedule Windows Tasks
    > >with the same account, and for that I need the password. Seeing as
    > >the password has already been configured and stored by IIS, I want to
    > >avoid needing to configure and store it elsewhere too.
    > >Unless there's another way around this...

    >
    > I would run the scheduled application with a special user that has been
    > setup specifically for this purpose. Then you can evaluate what
    > permissions are needed, and run the application with a locked-down user
    > account.
    >

    The ASP.NET app has the same permission requirements as the scheduled
    task - reading/writing to the same directory, accessing the same
    database.
    Anyway, how would that help, I'd still need to store a password.
    Actually my current "solution" is for the password to be fixed via an
    algorithm that uses static hard-coded information. Not happy with it
    though.
    Dylan Nicholson, Oct 7, 2007
    #5
  6. Dylan Nicholson

    Ken Schaefer Guest

    "Dylan Nicholson" <> wrote in message
    news:...
    > On Oct 5, 5:07 pm, "Ken Schaefer" <>
    > wrote:
    >> What about running the web app pool as a user that has Administrator
    >> privileges?
    >>

    > Client insisted that this wasn't acceptable.


    OK - use the DPAPI API available with Windows to store/retrieve the
    password. That way you don't need to come up with your own secure storage
    mechanism for passwords.

    Cheers
    Ken
    Ken Schaefer, Oct 7, 2007
    #6
  7. On Oct 7, 9:39 pm, "Ken Schaefer" <>
    wrote:
    > "Dylan Nicholson" <> wrote in message
    >
    > news:...
    >
    > > On Oct 5, 5:07 pm, "Ken Schaefer" <>
    > > wrote:
    > >> What about running the web app pool as a user that has Administrator
    > >> privileges?

    >
    > > Client insisted that this wasn't acceptable.

    >
    > OK - use the DPAPI API available with Windows to store/retrieve the
    > password. That way you don't need to come up with your own secure storage
    > mechanism for passwords.
    >

    DPAPI offers storage? I thought it only offered encryption (and even
    then you have to provide a password). And it doesn't solve the
    problem have the user having to supply the password twice.
    Dylan Nicholson, Oct 8, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. HaukiDog
    Replies:
    0
    Views:
    466
    HaukiDog
    Mar 7, 2004
  2. AAaron123
    Replies:
    2
    Views:
    2,150
    AAaron123
    Jan 16, 2009
  3. AAaron123
    Replies:
    1
    Views:
    1,334
    Oriane
    Jan 16, 2009
  4. Rick Lawson
    Replies:
    8
    Views:
    799
    Graham Dumpleton
    Jul 17, 2009
  5. Replies:
    1
    Views:
    290
    Thomas 'PointedEars' Lahn
    Mar 19, 2008
Loading...

Share This Page