This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- IIS Secure properties displayed in log
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 15, 2007
02:05 AM
IIS Secure properties displayed in log
IS 2008 now logs IIS property values that are being set in application pools. This includes secure properties such as passwords. These should be masked with asterisks. For reference, the adsutil.vbs script included with IIS does this (see the IsSecureProperty function).
(14) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 17, 2007
04:40 PM
I created IOC-000064358 for this. At this time the only workaround I can offer is to use InstallScript because it lacks logging.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 17, 2007
04:57 PM
Thanks for the response David. We sometimes get log files from customers but I can have them remove the passwords before sending them. I may be reverting to IS12 anyway for the app pool problem.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 17, 2007
05:04 PM
You might want to hold off on reverting. Since this involves a security issue we will hot fix this ASAP.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 17, 2007
05:12 PM
I'm not sure if you saw this thread Bug in caCreateVRoots - Creating app pools. This is the problem I was referring to that would make me go back to IS12.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 20, 2007
02:50 PM
Attached is a test version that should fix the password logging problem. This is not the official hot fix. I smoke tested it, but please verify to see if this solves your issue.
You might want to hold for an official released version. I have yet to test this with our automated runtime tests. Additionally, before we release anything our testing department runs a lot of manual tests against IIS. If I see any problems, I will post, but thought you might want to try this out for now.
To test, backup your version of IISHelper.dll and use the attached version.
Secondly, the InstallShield IIS runtime will attempt to mask the password if it is added to the MsiHiddenProperties property. So, add the property name you are using to MsiHiddenProperties.
You might want to hold for an official released version. I have yet to test this with our automated runtime tests. Additionally, before we release anything our testing department runs a lot of manual tests against IIS. If I see any problems, I will post, but thought you might want to try this out for now.
To test, backup your version of IISHelper.dll and use the attached version.
Secondly, the InstallShield IIS runtime will attempt to mask the password if it is added to the MsiHiddenProperties property. So, add the property name you are using to MsiHiddenProperties.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 20, 2007
02:58 PM
Thanks David. I'll give it a try and post back in a couple of hours.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 20, 2007
05:56 PM
David,
In my test project I created two properties SecurePassword and NonSecurePassword and set MsiHiddenProperties to SecurePassword. I used each of the properties in the password setting for an app pool then installed and reviewed the log. The SecurePassword was masked as expected but the NonSecurePassword was masked as well. I don't see how this would be a problem but thought you should know about it.
The other issue I reported with the error creating the application pools was also resolved with the updated dll. Do you know when an official version would be available?
In my test project I created two properties SecurePassword and NonSecurePassword and set MsiHiddenProperties to SecurePassword. I used each of the properties in the password setting for an app pool then installed and reviewed the log. The SecurePassword was masked as expected but the NonSecurePassword was masked as well. I don't see how this would be a problem but thought you should know about it.
The other issue I reported with the error creating the application pools was also resolved with the updated dll. Do you know when an official version would be available?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 21, 2007
11:31 AM
Oooh, nice test. You actually found some extra functionality in the code. The code won't display a property if it has the word password in it, kind of as a double check. Let me know if you think I should take that out.
I'm sorry but at this time I do not know if or when the hot fix will be official. We won't be pushing it out as an update though, we'll just make it available for people to download (basically just what you have right now).
I'm sorry but at this time I do not know if or when the hot fix will be official. We won't be pushing it out as an update though, we'll just make it available for people to download (basically just what you have right now).
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 21, 2007
01:58 PM
I'd leave the "password" check in - like you said it's safeguard and I can't see any negative effects.
So do you think it's safe to use that version of the DLL in production installs?
So do you think it's safe to use that version of the DLL in production installs?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 25, 2007
10:42 AM
Sorry, I do not have much info on that at this point. Official fixes go above my lowly head. I will post as soon as I get more info.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 28, 2007
07:14 PM
I believe a hot fix will be created with just the password logging fix for 2008. The best way might be to contact support about the fix.
Attached is the latest IISHelper.dll that I believe resolves both your issues. It is almost exactly what I posted earlier, with a few minor changes. This version passes all my automated runtime tests, but it is not an official version. I suppose the choice is up to you on which version you decide to go with. I am just trying to give as much info as I can at this point.
Attached is the latest IISHelper.dll that I believe resolves both your issues. It is almost exactly what I posted earlier, with a few minor changes. This version passes all my automated runtime tests, but it is not an official version. I suppose the choice is up to you on which version you decide to go with. I am just trying to give as much info as I can at this point.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 28, 2007
07:22 PM
Thanks David.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 30, 2007
10:49 PM
David,
I think I've got another one for you. When installing on IIS 7 you can't use a property for the application name. The log doesn't provide any details. If you need any additional information let me know.
Thanks
I think I've got another one for you. When installing on IIS 7 you can't use a property for the application name. The log doesn't provide any details. If you need any additional information let me know.
Thanks
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Oct 01, 2007
10:30 AM
Also with IIS 7 the application pools are being set to use .NET 2.0 even though they are v1.1. If you'd like a project to duplicate these issues let me know.