cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
klacounte
Level 6

IIS Secure properties displayed in log

IS 2008 now logs IIS property values that are being set in application pools. This includes secure properties such as passwords. These should be masked with asterisks. For reference, the adsutil.vbs script included with IIS does this (see the IsSecureProperty function).
Labels (1)
0 Kudos
(14) Replies
davidh
Level 6

I created IOC-000064358 for this. At this time the only workaround I can offer is to use InstallScript because it lacks logging.
0 Kudos
klacounte
Level 6

Thanks for the response David. We sometimes get log files from customers but I can have them remove the passwords before sending them. I may be reverting to IS12 anyway for the app pool problem.
0 Kudos
davidh
Level 6

You might want to hold off on reverting. Since this involves a security issue we will hot fix this ASAP.
0 Kudos
klacounte
Level 6

I'm not sure if you saw this thread Bug in caCreateVRoots - Creating app pools. This is the problem I was referring to that would make me go back to IS12.
0 Kudos
davidh
Level 6

Attached is a test version that should fix the password logging problem. This is not the official hot fix. I smoke tested it, but please verify to see if this solves your issue.

You might want to hold for an official released version. I have yet to test this with our automated runtime tests. Additionally, before we release anything our testing department runs a lot of manual tests against IIS. If I see any problems, I will post, but thought you might want to try this out for now.

To test, backup your version of IISHelper.dll and use the attached version.

Secondly, the InstallShield IIS runtime will attempt to mask the password if it is added to the MsiHiddenProperties property. So, add the property name you are using to MsiHiddenProperties.
0 Kudos
klacounte
Level 6

Thanks David. I'll give it a try and post back in a couple of hours.
0 Kudos
klacounte
Level 6

David,

In my test project I created two properties SecurePassword and NonSecurePassword and set MsiHiddenProperties to SecurePassword. I used each of the properties in the password setting for an app pool then installed and reviewed the log. The SecurePassword was masked as expected but the NonSecurePassword was masked as well. I don't see how this would be a problem but thought you should know about it.

The other issue I reported with the error creating the application pools was also resolved with the updated dll. Do you know when an official version would be available?
0 Kudos
davidh
Level 6

Oooh, nice test. You actually found some extra functionality in the code. The code won't display a property if it has the word password in it, kind of as a double check. Let me know if you think I should take that out.

I'm sorry but at this time I do not know if or when the hot fix will be official. We won't be pushing it out as an update though, we'll just make it available for people to download (basically just what you have right now).
0 Kudos
klacounte
Level 6

I'd leave the "password" check in - like you said it's safeguard and I can't see any negative effects.

So do you think it's safe to use that version of the DLL in production installs?
0 Kudos
davidh
Level 6

Sorry, I do not have much info on that at this point. Official fixes go above my lowly head. I will post as soon as I get more info.
0 Kudos
davidh
Level 6

I believe a hot fix will be created with just the password logging fix for 2008. The best way might be to contact support about the fix.

Attached is the latest IISHelper.dll that I believe resolves both your issues. It is almost exactly what I posted earlier, with a few minor changes. This version passes all my automated runtime tests, but it is not an official version. I suppose the choice is up to you on which version you decide to go with. I am just trying to give as much info as I can at this point.
0 Kudos
klacounte
Level 6

Thanks David.
0 Kudos
klacounte
Level 6

David,

I think I've got another one for you. When installing on IIS 7 you can't use a property for the application name. The log doesn't provide any details. If you need any additional information let me know.

Thanks
0 Kudos
klacounte
Level 6

Also with IIS 7 the application pools are being set to use .NET 2.0 even though they are v1.1. If you'd like a project to duplicate these issues let me know.
0 Kudos