Possible to retrieve password of current application pool

[Dylan Nicholson]

Running as an administrator, I can retrieve the account password
stored by IIS for any application pool (using the WAMUserPass
property). But, unsurprisingly, an ASP.NET application running inside
an application pool that is does not have administrator privileges
can't even enumerate the list of application pools.
I can access the application pool by hard-coding the name, but even
then the WAMUserPass is an empty property value collection.
This doesn't hugely surprise me, but it's somewhat frustrating - the
reason I want access to this password is to schedule Windows Tasks
with the same account, and for that I need the password. Seeing as
the password has already been configured and stored by IIS, I want to
avoid needing to configure and store it elsewhere too.
Unless there's another way around this...

 

[Ken Schaefer]

What about running the web app pool as a user that has Administrator
privileges?

Cheers
Ken

 

[Kristofer Gafvert]

Hello,

Please see my answers inline

Running as an administrator, I can retrieve the account password
stored by IIS for any application pool (using the WAMUserPass
property). But, unsurprisingly, an ASP.NET application running inside
an application pool that is does not have administrator privileges
can't even enumerate the list of application pools.

That is true, by default non-administrators cannot enumerate the list of
application pools.

I can access the application pool by hard-coding the name, but even
then the WAMUserPass is an empty property value collection.

That is also true. By default, non-administrators can access non-secure
properties, but not secure properties.

This doesn't hugely surprise me, but it's somewhat frustrating - the
reason I want access to this password is to schedule Windows Tasks
with the same account, and for that I need the password. Seeing as
the password has already been configured and stored by IIS, I want to
avoid needing to configure and store it elsewhere too.
Unless there's another way around this...

I would run the scheduled application with a special user that has been
setup specifically for this purpose. Then you can evaluate what
permissions are needed, and run the application with a locked-down user
account.

Hope this helps!

 

[Dylan Nicholson]

What about running the web app pool as a user that has Administrator
privileges?

Client insisted that this wasn't acceptable.

 

[Dylan Nicholson]

Hello,

Please see my answers inline



That is true, by default non-administrators cannot enumerate the list of
application pools.


That is also true. By default, non-administrators can access non-secure
properties, but not secure properties.


I would run the scheduled application with a special user that has been
setup specifically for this purpose. Then you can evaluate what
permissions are needed, and run the application with a locked-down user
account.

The ASP.NET app has the same permission requirements as the scheduled
task - reading/writing to the same directory, accessing the same
database.
Anyway, how would that help, I'd still need to store a password.
Actually my current "solution" is for the password to be fixed via an
algorithm that uses static hard-coded information. Not happy with it
though.

 

[Ken Schaefer]

Client insisted that this wasn't acceptable.

OK - use the DPAPI API available with Windows to store/retrieve the
password. That way you don't need to come up with your own secure storage
mechanism for passwords.

Cheers
Ken

 

[Dylan Nicholson]

OK - use the DPAPI API available with Windows to store/retrieve the
password. That way you don't need to come up with your own secure storage
mechanism for passwords.

DPAPI offers storage? I thought it only offered encryption (and even
then you have to provide a password). And it doesn't solve the
problem have the user having to supply the password twice.