Dump password of application pool user from IIS >= 6.0

IIS Application pools are used to separate sets of IIS worker processes that share the same configuration and application boundaries. Application pools used to isolate our web application for better security, reliability, and availability and performance and keep running with out impacting each other . The worker process serves as the process boundary that separates each application pool so that when one worker process or application is having an issue or recycles, other applications or worker processes are not affected.
One Application Pool can have multiple worker process. (Ref:http://technet.microsoft.com/en-us/library/cc735247%28WS.10%29.aspx)

Main Point to Remember:
1. Isolation of Different Web Application
2. Individual worker process for different web application
3. More reliably web application
4. Better Performance

It may happen that while managing or testing multiple web applications we create many application pool(s) in the IIS. Thus, there is always the possibility that we may forget the password of an account that we have used for the some application pool. In order to retrieve the credentials we can use the utility called APPCMD.

Let’s Start

1. Let us assume that we have forgotten the password of the account that is used by a “Demo User” application pool.

Application Pool

Application Pool

2. Open the command prompt by browsing Start menu -> Accessories -> Command Prompt. Right click on Command prompt and select “Run as Administrator” option from the context menu.

Tip: You can also select CMD and press CTRL + Shift + Enter to Start Command Prompt as Administrator or with Machine Administrator rights

3. Browse the following path on command prompt “%systemroot%system32inetsrv” and run

APPCMD list apppool “Demo User” /text:*

(The directory will most likely be C:WindowsSystem32inetsrv)

Replace “Demo User” with the App Pool name of which you want to retrieve the password.

Command

Command

4. Under the [processModel] section you will get the username and password which is in Clear Text .

Output showing credentials

Output showing credentials

Remediation & POC

The remediation for this is very simple; use service accounts like Network Service, Network, etc. So, even if someone has access to the system and tries same steps as above to retrieve the user account password, he wont be able to do that.

1. Application pool “Dos” with Network Service account

Application Pool for Network Service

Application Pool for Network Service

2. Running the same command as we ran in earlier in this post i.e. APPCMD list apppool “Dos” /text:*

Command

Command

3. Checking the output

Output for Network Service

Output for Network Service

Note

The above technique which we have tested against IIS 6.0 will also work with IIS 7.0 and IIS 7.5, as these versions also provide support for the utility for legacy reasons.

I guess this highlights why least-privilege is so important when assigning privileges to application services on servers. In a scenario where the server is compromised, the  Final word for IIS administrators, always use a least-privilege user account for SharePoint or any other web application installation or deployment, simply means that Application Pool account should not have more permissions than needed.

Posted in Secure .NET Coding, Security, Sharepoint Security Tagged with: , , ,