Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Possible to retrieve password of current application pool

Reply
Thread Tools

Possible to retrieve password of current application pool

 
 
Dylan Nicholson
Guest
Posts: n/a
 
      10-04-2007
Running as an administrator, I can retrieve the account password
stored by IIS for any application pool (using the WAMUserPass
property). But, unsurprisingly, an ASP.NET application running inside
an application pool that is does not have administrator privileges
can't even enumerate the list of application pools.
I can access the application pool by hard-coding the name, but even
then the WAMUserPass is an empty property value collection.
This doesn't hugely surprise me, but it's somewhat frustrating - the
reason I want access to this password is to schedule Windows Tasks
with the same account, and for that I need the password. Seeing as
the password has already been configured and stored by IIS, I want to
avoid needing to configure and store it elsewhere too.
Unless there's another way around this...

 
Reply With Quote
 
 
 
 
Ken Schaefer
Guest
Posts: n/a
 
      10-05-2007
What about running the web app pool as a user that has Administrator
privileges?

Cheers
Ken

"Dylan Nicholson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Running as an administrator, I can retrieve the account password
> stored by IIS for any application pool (using the WAMUserPass
> property). But, unsurprisingly, an ASP.NET application running inside
> an application pool that is does not have administrator privileges
> can't even enumerate the list of application pools.
> I can access the application pool by hard-coding the name, but even
> then the WAMUserPass is an empty property value collection.
> This doesn't hugely surprise me, but it's somewhat frustrating - the
> reason I want access to this password is to schedule Windows Tasks
> with the same account, and for that I need the password. Seeing as
> the password has already been configured and stored by IIS, I want to
> avoid needing to configure and store it elsewhere too.
> Unless there's another way around this...
>


 
Reply With Quote
 
 
 
 
Kristofer Gafvert
Guest
Posts: n/a
 
      10-05-2007
Hello,

Please see my answers inline


Dylan Nicholson wrote:

>Running as an administrator, I can retrieve the account password
>stored by IIS for any application pool (using the WAMUserPass
>property). But, unsurprisingly, an ASP.NET application running inside
>an application pool that is does not have administrator privileges
>can't even enumerate the list of application pools.


That is true, by default non-administrators cannot enumerate the list of
application pools.

>I can access the application pool by hard-coding the name, but even
>then the WAMUserPass is an empty property value collection.


That is also true. By default, non-administrators can access non-secure
properties, but not secure properties.

>This doesn't hugely surprise me, but it's somewhat frustrating - the
>reason I want access to this password is to schedule Windows Tasks
>with the same account, and for that I need the password. Seeing as
>the password has already been configured and stored by IIS, I want to
>avoid needing to configure and store it elsewhere too.
>Unless there's another way around this...


I would run the scheduled application with a special user that has been
setup specifically for this purpose. Then you can evaluate what
permissions are needed, and run the application with a locked-down user
account.

Hope this helps!


--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info
 
Reply With Quote
 
Dylan Nicholson
Guest
Posts: n/a
 
      10-07-2007
On Oct 5, 5:07 pm, "Ken Schaefer" <(E-Mail Removed)>
wrote:
> What about running the web app pool as a user that has Administrator
> privileges?
>

Client insisted that this wasn't acceptable.

 
Reply With Quote
 
Dylan Nicholson
Guest
Posts: n/a
 
      10-07-2007
On Oct 6, 1:59 am, "Kristofer Gafvert" <(E-Mail Removed)>
wrote:
> Hello,
>
> Please see my answers inline
>
> Dylan Nicholson wrote:
> >Running as an administrator, I can retrieve the account password
> >stored by IIS for any application pool (using the WAMUserPass
> >property). But, unsurprisingly, an ASP.NET application running inside
> >an application pool that is does not have administrator privileges
> >can't even enumerate the list of application pools.

>
> That is true, by default non-administrators cannot enumerate the list of
> application pools.
>
> >I can access the application pool by hard-coding the name, but even
> >then the WAMUserPass is an empty property value collection.

>
> That is also true. By default, non-administrators can access non-secure
> properties, but not secure properties.
>
> >This doesn't hugely surprise me, but it's somewhat frustrating - the
> >reason I want access to this password is to schedule Windows Tasks
> >with the same account, and for that I need the password. Seeing as
> >the password has already been configured and stored by IIS, I want to
> >avoid needing to configure and store it elsewhere too.
> >Unless there's another way around this...

>
> I would run the scheduled application with a special user that has been
> setup specifically for this purpose. Then you can evaluate what
> permissions are needed, and run the application with a locked-down user
> account.
>

The ASP.NET app has the same permission requirements as the scheduled
task - reading/writing to the same directory, accessing the same
database.
Anyway, how would that help, I'd still need to store a password.
Actually my current "solution" is for the password to be fixed via an
algorithm that uses static hard-coded information. Not happy with it
though.


 
Reply With Quote
 
Ken Schaefer
Guest
Posts: n/a
 
      10-07-2007

"Dylan Nicholson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> On Oct 5, 5:07 pm, "Ken Schaefer" <(E-Mail Removed)>
> wrote:
>> What about running the web app pool as a user that has Administrator
>> privileges?
>>

> Client insisted that this wasn't acceptable.


OK - use the DPAPI API available with Windows to store/retrieve the
password. That way you don't need to come up with your own secure storage
mechanism for passwords.

Cheers
Ken

 
Reply With Quote
 
Dylan Nicholson
Guest
Posts: n/a
 
      10-07-2007
On Oct 7, 9:39 pm, "Ken Schaefer" <(E-Mail Removed)>
wrote:
> "Dylan Nicholson" <(E-Mail Removed)> wrote in message
>
> news:(E-Mail Removed) oups.com...
>
> > On Oct 5, 5:07 pm, "Ken Schaefer" <(E-Mail Removed)>
> > wrote:
> >> What about running the web app pool as a user that has Administrator
> >> privileges?

>
> > Client insisted that this wasn't acceptable.

>
> OK - use the DPAPI API available with Windows to store/retrieve the
> password. That way you don't need to come up with your own secure storage
> mechanism for passwords.
>

DPAPI offers storage? I thought it only offered encryption (and even
then you have to provide a password). And it doesn't solve the
problem have the user having to supply the password twice.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dynamic NAT pool doesn't report full when pool contains interface IP tom Cisco 0 10-09-2009 02:22 AM
does python have a generic object pool like commons-pool in Java Rick Lawson Python 8 07-16-2009 11:25 PM
PIX 501 issue routing between VPN pool and local pool eostrike Cisco 3 10-24-2008 09:43 PM
Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached. Guoqi Zheng ASP .Net 4 06-03-2004 06:39 PM
Is it possible to retrieve the page object from HttpContext.Current? HaukiDog ASP .Net 0 03-07-2004 07:45 PM



Advertisments