One effective way to protect passwords is using encryption. To do so, setting application pool and worker process isolation for IIS is needed. Application pool isolation protects data that WAS (which is the IIS local system process) needs to access, such as the passwords of application pool. Worker process isolation protects data that the application pool identity needs to access, like the passwords of anonymous user account.
Before proceeding, we provide sample codes here in order to make sure the process simple: Create a new RSA encryption provider and set the name of the default provider in machine.config.
Now go on to read the following detailed parts.
Create a New RSA Encryption Provider Application
1. Open your Windows Notepad and then create a file in createProvider.cs directory. Make sure that the file you create includes the code below:
using System;
using Microsoft.Web.Administration;
using System.Configuration;
namespace testingEncryption
{
public class createProvider
{
public static void Main(string[] args)
{
String keyContainerName = args[0];
String description = args[1];
String providerName = args[2];
System.Configuration.Configuration machineConfig =
System.Configuration.ConfigurationManager.OpenMachineConfiguration();
System.Configuration.ProviderSettings settings =
new System.Configuration.ProviderSettings(providerName,
“System.Configuration.RsaProtectedConfigurationProvider,
System.Configuration,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a”);
settings.Parameters[“description”] = description;
settings.Parameters[“keyContainerName”] = keyContainerName;
settings.Parameters[“cspProviderName”] = String.Empty;
settings.Parameters[“useMachineContainer”] = “true”;
settings.Parameters[“useOAEP”] = “false”;
settings.Parameters[“name”] = providerName;
ProtectedConfigurationSection pcSection =
(System.Configuration.ProtectedConfigurationSection)machineConfig.GetSection (“configProtectedData”);
pcSection.Providers.Add(settings);
machineConfig.Save();
}
}
}
2. Initiate an elevated command prompt.
- Click “Start”.
- Right-click the mouse on “Command Prompt”.
- Choose “Run as administrator”.
3. Find the location that you placed the createProvider.cs file in the command prompt dialog box and then execute the command below to have your code compiled:
Create an Application to Alter the Default Provider
1. Open your Windows Notepad and then create a file in setProvider.cs. Make sure that the file includes the code below:
using System;
using Microsoft.Web.Administration;
using System.Configuration;
namespace testingEncryption
{
public class setProvider
{
public static void Main(string[] args)
{
String provider = args[0]; // example: DataProtectionConfigurationProvider
System.Configuration.Configuration machineConfig =
System.Configuration.ConfigurationManager.OpenMachineConfiguration();
ProtectedConfigurationSection pcSection =
(System.Configuration.ProtectedConfigurationSection)machineConfig.GetSection(“configProtectedData”);
string oldEncryptionProviderName = pcSection.DefaultProvider;
Console.WriteLine(“The default provider is currently: ” + oldEncryptionProviderName);
Console.WriteLine(“Changing the default provider to: ” + provider);
pcSection.DefaultProvider = provider;
machineConfig.Save();
}
}
}
2. Initiate an elevated command prompt:
- Click “Start”.
- Right-click the mouse on “Command Prompt”.
- Choose “Run as administrator”.
3. Find location that you placed the setProvider.cs file in the command prompt dialog box and execute the command below to have your code compiled:
Create User Accounts
Next, we will create 4 user accounts needed in the whole process. To start, open the command window which is operating under administrative authority with the given steps below:
- Click “Start” menu.
- Right click the “Command Prompt”.
- Choose “Run as administrator”.
- Perform the commands below in the command dialog box.
Application Pool Isolation
WAS is a process in IIS, which operates under the LOCALSYSTEM context. Besides, it is the only process that calls for access to the passwords of application pool. In this part, we need to do the following 4 things:
1. Create New RSA Key
Create a new RSA key that only LOCALSYSTEM and Administrators can access to. The RSA key will be taken to encrypt the password of every application pool.
- Click “Start” menu.
- Right-click the “Command Prompt”.
- Choose “Run as administrator”.
- Find the location that you placed your createProvider.exe in the command dialog box and execute the command below:
Check whether these changes are correct. Open Windows Notepad and enter %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\config\machine.config in it. Then verify that the following contents are displayed in the new created provider:
2. Encrypt the Passwords of Application Pool
When a property of application pool is encrypted, defaultProvider will be used for encryption created in machine.config. RsaProtectedConfigurationProvider is the default value for that encryption.
In this part, we will then take advantage of the setProvider.exe application set in the previous time to alter the provider to iisWasKey and alter the application pool passwords using the IIS Manager:
- Click “Start” menu.
- Right-click the “Command Prompt”.
- Choose “Run as administrator”.
- Find the location that you placed your setProvider.exe and execute the command below in the command dialog box:
The default provider has been changed successfully.
3. Create New Application pools
Here we will create 2 fresh application pools which we isolate them. To do this, start the IIS Manager:
1. Click “Start” and then enter “INetMgr.exe”(if prompted, click “Continue” to get your permissions elevated).
2. Click “+” beside your machine name in the “Connections” field.
3. Click “Application Pools”.
4. Choose the task in “Add Application Pool”.
5. Enter “AppPool1” under the “Name” field and click “OK”:
6. Repeat all the previous steps but enter “AppPool2” in the “Name” field this time.
7. Now you can see the page below in the IIS Manager:
8. Notice the information for AppPool1 and AppPool2 is displayed as “NetworkService”. Then we will change them to the accounts we created before by right-clicking the mouse on “AppPool1” and then choosing “Advanced Settings”.
9. Under the “Process Model” section:
- Click the button that is on the right side of “Identity”.
- Click “Custom account” and click “Set…” in the “Application Pool Identity” window.
- Enter the user name (AppPoolIdentity1) and password (password1) in the “Set Credentials” window. Then click “OK”.
10. The “Identity” value now should appear like this:
11. Click the “OK” button.
12. Follow the above steps for AppPool2 but enter AppPoolIdentity2 as username and another password.
13. Now the following information will be present in the IIS Manager, and you can notice the changed information of application pool Identities as well.
14. Check the changed information by opening the %SystemRoot%\System32\Inetsrv\applicationHost.config file using Windows Notepad. Find the “applicationPools” field and then you can see that we have successfully encrypted the passwords of application pools using the Rsa_WAS key as expected:
password=”[enc:Rsa_WAS:jAAAAAECAAADZgAAAKQAAAUkBfhWFbUHIt/qtlo+P7CiZC10r9H0DGBvAl
U2mhiOxMoHXX6Dz0S8TQjKx2YTKvuE8y+SBUWrEs3JYzXKOkY45Q9z6E/3BFvru5oR9uzbjInASKF/83N
N1tIEsoorQWmUOjnL4XM9RNzpqkY6TgyC3CyPUGN9fR7li5+AUupHHfgVPMzcLHfCsoq+ri+X6IbEnJdu
cUEAYBn1P9F/Zxk=:enc]” />
password=”[enc:Rsa_WAS:jAAAAAECAAADZgAAAKQAAEbQEa/sAmyLbryAR0hD3voip2+0RfzM44sXPekp
I2H7HYLzta55NfLcG8vSPHhasahKVgO4wcIcT03CLSn+5koWvAaIRdeClhXWK/X8ZQPFooOpyhOqT0TEP5v
jB+DXAKgq0RC6ufHFtrHMy0U69ew7/49YXEcrkF+o8OJZ1K+EkgA3J2ikHKxW0pFBU0tFvLCjt2/UXypfNI
0hYPe2syk=:enc]” />
4. Lock Down the Encryption Providers
When the IIS_IUSRS are created, it is endowed read access to the keys by default. However, ASPNET_REGIIS tool can be used to remove the read access. In order to do that, run the commands below from the elevated command prompt:
This can remove IIS_IUSRS from reading the iisWasKey that is only mean for the access of Administrators and LOCALSYSTEM.
Worker Process Isolation
Next, configuring worker process isolation mode will come with adding 2 fresh sites. The two sites are concluded in different application pools with disparate anonymous authentication identities. Then we set up a new RSA encryption provider for every application pools to have the anonymous passwords encrypted.
1. Create New Sites
In the following, we will create 2 fresh sites and then add them to an application pool created in the previous time. To start, open the command which is operating under administrative authority using the given steps below:
- Click “Start” menu.
- Right-click the “Command Prompt”.
- Choose “Run as administrator”.
- Execute the command below to find the wwwroot directory in the command dialog box:
- Use the commands below to create 2 new directories that is called “one” and “two” respectively:
- Create a Default.htm file in the 2 directories that include the HTML code below:
Note that you should use “one” or “two” to replace “X” according to the file’s directory location.
Then create 2 sites using the IIS manager:
1. Click “Start” and enter “INetMgr.exe” (if prompted, click “Continue” to get your permissions elevated).
2. Click “+” button beside your machine name in the “Connections” field.
3. Right click the mouse on “Site” under “Connections” and then click “Add Web Site”.
4. Use the given data to set up your site now:
When completed you can see the following information.
5. Click “OK”.
6. Repeat the above steps to create another site. Use the information below to create your second site this time:
Now you have created 2 sites called “One” and “Two”, and added them to the AppPool1 and AppPool2 applications pools. The following are URLs used to test site one and site two: http://localhost:81 and http://localhost:82.
2. Create New Providers for Each Application Pool
In this part, we will set a new RSA provider for each application pool:
- Click “Start” menu.
- Right-click the “Command Prompt”.
- Choose “Run as administrator”.
- Find the location that you placed your createProvider.exe and run the command below:
3. Set the Anonymous Account for Site One & Site Two
In the elevated command prompt dialog box, run the commands below:
1. Go to IIS Manager and double click the mouse on site “One”/”Two”.
2. Double click “Authentication” under “Feature Name”.
3. Choose “Anonymous Authentication” and click “Edit” under the “Tasks” field. Then here appears the “Edit Anonymous Authentication Credentials” window.
4. Click “Specific User” and click “Set”.
5. Enter the username (AnonymousAccount1/ AnonymousAccount2) and password (password3/password4) and click “OK”.
6. Then a dialog box like this will appear:
7. Click “OK”.
4. Reset the Encryption Provider to the Default
Go back to the elevated command prompt dialog box and execute the command below:
Note that the above change ensures that all future properties that encrypted employ the default provider.
5. Verify the Changes
Make sure what we did and what we expected is already done by opening the %SystemRoot%\System32\Inetsrv\applicationHost.config file using Windows Notepad:
Note that:
The passwords for both AppPool1 and AppPool2 are protected by the Rsa_Was key;
The passwords for AnonymousAccount1 and AnonymousAccount2 are protected by the Rsa_app1 key and Rsa_app2 key respectively:
6. Lock Down the Encryption Providers
Protect the file permissions for the keys as previously done. Run the commands below from the elevated command prompt window:
These commands will then remove IIS_IUSRS’s ability to read keys and add only the application pool identity which requires access permission to the keys.
7. Test Your Sites
Now you need to test the 2 sites with the given two addresses: http://localhost:81 and http://localhost:82. In your test, everything should work well as it did before.
Summary
The tasks we did above achieve 2 goals: securing the application pool settings and isolating the settings of worker process. What we did ensured that the passwords for the application pools can be only read by the Administrators and the permitted SYSTEM accounts. As thus, when applications in an application pool try to re-obtain the passwords for their application pool, this attempt will fail. Besides, another thing ensured is that the identity of application pool can have the anonymous password decrypted.
