Date parsed: 04/10/2007 01:10:57
Date: Thu, 04 Oct 2007 08:10:57 -0700

Running as an administrator, I can retrieve the account password
stored by IIS for any application pool (using the WAMUserPass
property). But, unsurprisingly, an ASP.NET application running inside
an application pool that is does not have administrator privileges
can't even enumerate the list of application pools.
I can access the application pool by hard-coding the name, but even
then the WAMUserPass is an empty property value collection.
This doesn't hugely surprise me, but it's somewhat frustrating - the
reason I want access to this password is to schedule Windows Tasks
with the same account, and for that I need the password. Seeing as
the password has already been configured and stored by IIS, I want to
avoid needing to configure and store it elsewhere too.
Unless there's another way around this...

Date parsed: 06/10/2007 03:07:04
Date: Fri, 5 Oct 2007 17:07:04 +1000

What about running the web app pool as a user that has Administrator
privileges?

Cheers
Ken

"Dylan Nicholson" <wizofaus@hotmail.com> wrote in message
news:1191510657.740308.102980@w3g2000hsg.googlegroups.com...
> Running as an administrator, I can retrieve the account password
> stored by IIS for any application pool (using the WAMUserPass
> property). But, unsurprisingly, an ASP.NET application running inside
> an application pool that is does not have administrator privileges
> can't even enumerate the list of application pools.
> I can access the application pool by hard-coding the name, but even
> then the WAMUserPass is an empty property value collection.
> This doesn't hugely surprise me, but it's somewhat frustrating - the
> reason I want access to this password is to schedule Windows Tasks
> with the same account, and for that I need the password. Seeing as
> the password has already been configured and stored by IIS, I want to
> avoid needing to configure and store it elsewhere too.
> Unless there's another way around this...
>

Date parsed: 06/10/2007 20:47:13
Date: Sun, 07 Oct 2007 03:47:13 -0700

On Oct 6, 1:59 am, "Kristofer Gafvert" <kgafv...@NEWSilopia.com>
wrote:
> Hello,
>
> Please see my answers inline
>
> Dylan Nicholson wrote:
> >Running as an administrator, I can retrieve the account password
> >stored by IIS for any application pool (using the WAMUserPass
> >property). But, unsurprisingly, an ASP.NET application running inside
> >an application pool that is does not have administrator privileges
> >can't even enumerate the list of application pools.
>
> That is true, by default non-administrators cannot enumerate the list of
> application pools.
>
> >I can access the application pool by hard-coding the name, but even
> >then the WAMUserPass is an empty property value collection.
>
> That is also true. By default, non-administrators can access non-secure
> properties, but not secure properties.
>
> >This doesn't hugely surprise me, but it's somewhat frustrating - the
> >reason I want access to this password is to schedule Windows Tasks
> >with the same account, and for that I need the password. Seeing as
> >the password has already been configured and stored by IIS, I want to
> >avoid needing to configure and store it elsewhere too.
> >Unless there's another way around this...
>
> I would run the scheduled application with a special user that has been
> setup specifically for this purpose. Then you can evaluate what
> permissions are needed, and run the application with a locked-down user
> account.
>
The ASP.NET app has the same permission requirements as the scheduled
task - reading/writing to the same directory, accessing the same
database.
Anyway, how would that help, I'd still need to store a password.
Actually my current "solution" is for the password to be fixed via an
algorithm that uses static hard-coded information. Not happy with it
though.

Date parsed: 08/10/2007 07:39:02
Date: Sun, 7 Oct 2007 21:39:02 +1000


"Dylan Nicholson" <wizofaus@hotmail.com> wrote in message
news:1191753837.336887.274420@d55g2000hsg.googlegroups.com...
> On Oct 5, 5:07 pm, "Ken Schaefer" <kenREM...@THISadOpenStatic.com>
> wrote:
>> What about running the web app pool as a user that has Administrator
>> privileges?
>>
> Client insisted that this wasn't acceptable.

OK - use the DPAPI API available with Windows to store/retrieve the
password. That way you don't need to come up with your own secure storage
mechanism for passwords.

Cheers
Ken