I recently run on something cool and scary at the same time. While creating a script for creating custom SharePoint web application, I needed to change IIS Application pool identity account.
It turns out it was easier than I imagine, you need just couple lines of code:
import-module webadministration
$AppPool = get-childitem IIS:\AppPools | where {$_.name -eq "Services"}
$credential = Get-Credential
$AppPool.processModel.userName = $credential.UserName
$AppPool.processModel.password = $credential.GetNetworkCredential().password
$AppPool.processModel.identityType = 3
$AppPool | Set-Item
$AppPool | Restart-WebAppPool
But what surprised me is that you can, with a simple command, extract Application Pool identity password. All you need is a simple one liner:
(get-childitem IIS:\AppPools | where{$_.name -eq "Services"}).processModel
In third row you can see a password property and its value in plain text! How freaking is that!
According to Microsoft this is a feature and also:
"For maximum security, application pools should run under a special built-in identity called ApplicationPoolIdentity. There are two types of Identity for the application pools: Built-in and Custom. The built-in accounts are ApplicationPoolIdentity, NetworkService, LocalService, and LocalSystem. The default (recommended) and most secure is ApplicationPoolIdentity."
This is all true, but there are many web applications (SharePoint, for instance) which requires custom application pool identity. And with a simple PowerShell command you can read its password.
So please be careful and never give Application pool identity account more rights as necessary. Imagine if you put SharePoint farm admin account to run Application pool. Or even worse, your domain admin account.
by Krsto Savic via Everyone's Blog Posts - SharePoint Community
No comments:
Post a Comment