Using Encryption to Protect Passwords

By Saad Ladki

November 22, 2007

Introduction

This document provides an overview of the steps required for setting both application pool and worker process isolation for IIS 7.0 and above servers. Application pool isolation entails protecting data that WAS (the IIS local system process) needs to access. An example of this data is the application pool passwords. Worker process isolation, on the other hand, entails protecting data that the application pool identity needs to access. An example of this data is the anonymous user account password.

This article contains:

Prerequisites

To help simplify this process, two pieces of sample code are provided that:

  • Create a new RSA encryption provider in machine.config.
  • Set the name of the default provider in machine.config.

The final prerequisite section guides you in setting up four User accounts that will be used in later topics.

Creating a New RSA Encryption Provider Application

1. Open Windows Notepad and create a file in a directory of your choosing named createProvider.cs that contains the following C# code:

using System;
using Microsoft.Web.Administration;
using System.Configuration;

namespace testingEncryption
{
public class createProvider
{
public static void Main(string[] args)
{
String keyContainerName = args[0];
String description = args[1];
String providerName = args[2];
System.Configuration.Configuration machineConfig =
System.Configuration.ConfigurationManager.OpenMachineConfiguration();
System.Configuration.ProviderSettings settings =
new System.Configuration.ProviderSettings(providerName,
"System.Configuration.RsaProtectedConfigurationProvider,
System.Configuration,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a");
settings.Parameters["description"] = description;
settings.Parameters["keyContainerName"] = keyContainerName;
settings.Parameters["cspProviderName"] = String.Empty;
settings.Parameters["useMachineContainer"] = "true";
settings.Parameters["useOAEP"] = "false";
settings.Parameters["name"] = providerName;
ProtectedConfigurationSection pcSection =
(System.Configuration.ProtectedConfigurationSection)machineConfig.GetSection ("configProtectedData");
pcSection.Providers.Add(settings);
machineConfig.Save();
}
}
}

2. Next, launch an elevated command prompt:

a. Click the Start menu.
b. Right-click Command Prompt.
c. Select Run as administrator.


3. In the command prompt Window, navigate to the where location you saved the createProvider.cs file and run the following command to compile your code:
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\csc.exe /reference:%SystemRoot%\System32\inetsrv\Microsoft.Web.Administration.dll createProvider.cs

This step is now complete.

Creating an Application to Change the Default Provider

1. Open Windows Notepad and create a file in a directory of your choosing named setProvider.cs that contains the following C# code:

using System;
using Microsoft.Web.Administration;
using System.Configuration;
namespace testingEncryption
{
public class setProvider
{
public static void Main(string[] args)
{
String provider = args[0]; // example: DataProtectionConfigurationProvider
System.Configuration.Configuration machineConfig =
System.Configuration.ConfigurationManager.OpenMachineConfiguration();
ProtectedConfigurationSection pcSection =
(System.Configuration.ProtectedConfigurationSection)machineConfig.GetSection("configProtectedData");
string oldEncryptionProviderName = pcSection.DefaultProvider;
Console.WriteLine("The default provider is currently: " + oldEncryptionProviderName);
Console.WriteLine("Changing the default provider to: " + provider);
pcSection.DefaultProvider = provider;
machineConfig.Save();
}
}
}

2. Next, launch an elevated command prompt:

a. Click the Start menu.
b. Right-click Command Prompt.
c. Select Run as administrator.

3. In the command prompt Window navigate to the location you saved the setProvider.cs file and run the following command to compile your code:
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\csc.exe /reference:%SystemRoot%\System32\inetsrv\Microsoft.Web.Administration.dll setProvider.cs

This step is now complete.

Creating User Accounts

In this step, we create four new user accounts that will be used throughout this document.

To begin, open a command shell Window running under administrative rights using the following steps:

  1. Click the Start menu.
  2. Right-click Command Prompt .
  3. Select Run as administrator.
  4. In the command window, execute the following commands:
net user /add AppPoolIdentity1 password1
net user /add AppPoolIdentity2 password2
net user /add AnonymousAccount1 password3
net user /add AnonymousAccount2 password

This step is now complete.

Application Pool Isolation

IIS has a process called WAS that runs under the context of LOCALSYSTEM and is the only process that needs access to the application pool passwords. In this task, we:

  • Create a new RSA key (iisWasKey) that only LOCALSYSTEM and Administrators have access to. This key will be used to encrypt every application pool's passwords.
  • Create two application pools.
  • Configure each of these application pools to run under different identities and encrypt their passwords using the iisWasKey.
  • Restrict NTFS file system permissions on the key files so only SYSTEM and Administrators have access.

Create New RSA Key

  1. Click the Start menu.
  2. Right-click on Command Prompt.
  3. Select Run as administrator.
  4. In the command window navigate to where you saved your createProvider.exe and run the following command:
createProvider.exe iisWasKey RsaKeyForWAS Rsa_WAS

Verify that these changes occurred correctly. Open your %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\config\machine.config using Windows Notepad and verify the lines to the section are present for the new provider:

keyContainerName="NetFrameworkConfigurationKey" cspProviderName=""
useMachineContainer="true" useOAEP="false" name="RsaProtectedConfigurationProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration,

Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
useMachineProtection="true" keyEntropy="" name="DataProtectionConfigurationProvider"
type="System.Configuration.DpapiProtectedConfigurationProvider,System.Configuration,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

cspProviderName="" useMachineContainer="true" useOAEP="false"
name="Rsa_WAS"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Encrypt the Application Pool Passwords

By default, whenever a property is encrypted, IIS uses the defaultProvider for encryption defined in machine.config. The default value for this is RsaProtectedConfigurationProvider.

In this step, we use the setProvider.exe application created earlier to change the provider to iisWasKey and then use the IIS Manager to change the passwords:

  1. Click the Start menu.
  2. Right-click on Command Prompt.
  3. Select Run as administrator.
  4. In the command window navigate to where you saved your setProvider.exe and run the following command:
setProvider.exe Rsa_WAS

The default provider Rsa_WAS has been successfully changed.

Create New Application Pools

In this step, we create two new application pools that we isolate from one another. To do so, launch the IIS Manager:

  1. Click Start, and type 'INetMgr.exe' and press Enter (if prompted, select Continue to elevate your permissions).
  2. Click the + button beside the name of your machine in the Connections section.
  3. Click Application Pools.
  4. Select the task on the right titled Add Application Pool.
  5. Input the Name 'AppPool1' and then press OK as shown:


  6. Repeat previous steps but this time use the name AppPool2.
  7. You now see the following screen within the IIS Manager:

  8. Notice how the identity for both AppPool1 and AppPool2 are NetworkService. We will change this to be the accounts we created earlier by right clicking AppPool1 and then selecting Advanced Settings
  9. Under the title Process Model:
    a. Click the button to the right of the words Identity.
    b. In the Application Pool Identiy window select the "Custom account" radio button and click the "Set..." button.
    c. Input the following user name and password in the Set Credentials dialog.

    user name: AppPoolIdentity1
    password: password1


10. Now the Identity value should appear as shown below:


11. Click OK to save your changes.
12. Repeat the previous step for AppPool2 and user the user name "AppPoolIdentity2" and the password "password2".
13. You see the following displayed in the IIS Manager (mainly the Identities for the application pools have changed):

14. Verify the changes by using Windows Notepad and opening the %SystemRoot%\System32\Inetsrv\applicationHost.config file. Navigate to the applicationPools section and you see that we encrypted the application pool passwords using the Rsa_WAS key as intended:

  password="[enc:Rsa_WAS:jAAAAAECAAADZgAAAKQAAAUkBfhWFbUHIt/qtlo+P7CiZC10r9H0DGBvAl
U2mhiOxMoHXX6Dz0S8TQjKx2YTKvuE8y+SBUWrEs3JYzXKOkY45Q9z6E/3BFvru5oR9uzbjInASKF/83N
N1tIEsoorQWmUOjnL4XM9RNzpqkY6TgyC3CyPUGN9fR7li5+AUupHHfgVPMzcLHfCsoq+ri+X6IbEnJdu
cUEAYBn1P9F/Zxk=:enc]" />
password="[enc:Rsa_WAS:jAAAAAECAAADZgAAAKQAAEbQEa/sAmyLbryAR0hD3voip2+0RfzM44sXPekp
I2H7HYLzta55NfLcG8vSPHhasahKVgO4wcIcT03CLSn+5koWvAaIRdeClhXWK/X8ZQPFooOpyhOqT0TEP5v
jB+DXAKgq0RC6ufHFtrHMy0U69ew7/49YXEcrkF+o8OJZ1K+EkgA3J2ikHKxW0pFBU0tFvLCjt2/UXypfNI
0hYPe2syk=:enc]" />

Locking Down the Encryption Providers

By default, the IIS_IUSRS is given read access to the keys when they are created. However, we can use the ASPNET_REGIIS tool to remove that access. To do so, run the following commands from the elevated command prompt:

cd /d %systemroot%
cd Microsoft.NET\Framework\v2.0.50727
aspnet_regiis.exe -pr iisWasKey IIS_IUSRS

This removed IIS_IUSRS (the application pool identities group) from being able to read the iisWasKey which is intended for only Administrators and LOCALSYSTEM access.

Worker Process Isolation

This topic tells how to setup worker process isolation by creating two new sites that are part of different application pools and have different anonymous authentication identities. We then create a new RSA provider for each application pool to encrypt the anonymous passwords.

Create New Sites

In this section, we create two new sites and add each site to an application pool we created earlier. To begin, open a command shell running under administrative rights using the following steps:

  1. Click the Start menu.
  2. Right-click Command Prompt.
  3. Select Run as administrator.
  4. In the command window, navigate to your wwwroot directory using the following command:
cd /d %SystemDrive%\inetpub\wwwroot

5. Create a new directory named "one" and a directory "two" using the following commands:

mkdir one
mkdir two

6. Create a basic Default.htm file in both the "one" and "two" directories that contain following HTML code:

<html><body>Hello from site X</body></html>

Note: Replace 'X' with either 'one' or 'two' depending on the directory location of the file.

Now use the IIS manager to create two sites:

  1. Click Start, type INetMgr.exe and press Enter (if prompted, select Continue to elevate your permissions).
  2. Click on the + button beside the name of your machine in the Connections section.
  3. Right click Site in the tree view under Connections and then select Add Web Site.
  4. Use the following information to create your site:

    Web Site Name: One
    Application Pool: AppPool1
    Physical Path: {location of your inetpub directory}\wwwroot\one
    Port: 81

    This should like the following when completed:


  5. Click OK to save the changes.
  6. Repeat the previous two steps but this time use the following information for the second site:

    Web Site Name: Two
    Application Pool: AppPool2
    Physical Path: {location of your inetpub directory}\wwwroot\two
    Port: 82

You have now created two new sites named One and Two, and added them to the AppPool1 and AppPool2 applications pools.

The URLs to test your sites are:

  • http://localhost:81 for site One
  • http://localhost:82 for site Two

Create New Providers for Each Application Pool

In this section, we create a new RSA provider for each of the application pools:

  1. Click the Start menu.
  2. Right-click Command Prompt.
  3. Select Run as administrator.
  4. In the command window execute, navigate to where you saved your createProvider.exe and run the following command:
createProvider.exe App1Key RsaKeyForAppPool1 Rsa_app1
createProvider.exe App2Key RsaKeyForAppPool2 Rsa_app2

Set the Anonymous Account for Site One

In your elevated command prompt Window, run the following command:

setProvider.exe Rsa_app1
  1. Return back to IIS Manager and double click site One.
  2. Double click the Authentication item under the Feature Name heading.
  3. Select Anonymous Authentication and then click Edit under the Tasks heading on the right side which brings up the Edit Anonymous Authentication Credentials dialog box.
  4. Click the Specific User option and then click the Set button.
  5. Input the username AnonymousAccount1 and password password3 and select OK.
  6. This brings up the following dialog box:


  7. Press OK to save your changes.

Set the Anonymous Account for Site Two

In your elevated command prompt Window, run the following command:

setProvider.exe Rsa_app2
  1. Return back to IIS Manager and double click on site Two.
  2. Double click the Authentication item under the Feature Name heading.
  3. Select Anonymous Authentication and then click Edit under the Tasks heading on the right side which brings up the Edit Anonymous Credentials dialog box.
  4. Click the Specific User option and click Set.
  5. Input the username AnonymousAccount2 and password password4 and select OK.
  6. Click OK to save your changes.

Reset the Encryption Provider to the Default

  • Return to your elevated command prompt Window and run the following command:
setProvider.exe RsaProtectedConfigurationProvider

Note: This change ensures that all encrypted future properties use the default encryption provider.

Verify the Changes

Verify that what we wanted did happen. Using Windows Notepad, open the %SystemRoot%\System32\Inetsrv\applicationHost.config file:

  • Notice that the password for AppPool1 and AppPool2 are both still protected with the Rsa_Was key
  • Notice that the password for AnonymousAccount1 is also protected with the Rsa_app1 key:
password="[enc:Rsa_app1:jAAAAAECAAADZgAAAKQAAKoz4LV7HyPQuyNzXh8gspB0rPG7j3Ijvn3d+jY3/f
gma8ZxA7AHLUxjis9b0+Qu8XkLvsGn/A+F+m1O68gY1LkWzAcSW9ks81FuiBVhpZx73FzEo6aOz2QqBduJ7Xhu
x923KMBqmwkIVJ0mVAdzwFIm6LWymwRXxNxDE4eosKsw6QP6Rd6duC8gckaLxrTndclErQYgGdMt3W6ofxzRMlc=:enc]" />
  • Finally, note that the AnonymousAccount2 password is also protected with the Rsa_app2 key:
password="[enc:Rsa_app2:jAAAAAECAAADZgAAAKQAAKmHMhCTICEUhGncSGCxQc6ll/QGXo0asEIzOf3rIjl
sBDGRYhlDQWlf2QbFcIsBGYt8dHo9hzAQN/f03BPSlaFynevpSx4xJOg2/B8ATgPmCg4vgxpY5huZbGxongs55c
Rr20WFXsxzlUuw1xoUZI8c1+7gQPOtF0Rwh1g8NBmb5ML/R3jAIFcMtVhaj0OOIfAP7JCjdInwztBqK0XO7FM=:enc]" />

Locking Down the Encryption Providers

Secure the file permissions for our keys, as done previously, above. Run the following commands from the elevated command prompt:

cd /d %systemroot%
cd Microsoft.NET\Framework\v2.0.50727
aspnet_regiis.exe -pr App1Key IIS_IUSRS
aspnet_regiis.exe -pa App1Key   AppPoolIdentity1
aspnet_regiis.exe -pr App2Key IIS_IUSRS
aspnet_regiis.exe -pa App2Key   AppPoolIdentity2

These commands have removed the ability of IIS_IUSRS to read the keys and added only the application pool identity that needs access permission to the keys.

Testing Your Sites

Now test your sites:

  • Http://localhost:81
  • Http://localhost:82

Everything should continue to work as it had before.

Summary

In summary, we performed the following tasks to secure the application pool settings:

  • Created two application pools
  • Created two local user accounts and configured them as the application pool identities
  • We created an Administration encryption key and used it to protect all the application pool identities passwords
  • We used ASPNET_REGIIS to remove IIS_IUSRS (the application pool identities group) from accessing the key

These tasks effectively ensured that only the Administrators and SYSTEM accounts can read the passwords for the application pools. Therefore, if applications within an application pool tried to retrieve the passwords for their (or any) application pool, the attempt would fail.

To isolate the worker process settings, we:

  • Created a new anonymous identity account
  • We created a new provider for the application pool
  • We encrypted the anonymous authentication password with the application pool key
  • We removed access to the anonymous authentication provider for IIS_IUSRS and granted access to just the application pool identity

This effectively ensured that the application pool identity can decrypt the anonymous password it belongs too and no one else.



Discuss in IIS Forums