This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Re: Logging level for ISIISInstall action - logging passwords
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Sep 28, 2011
11:58 PM
Logging level for ISIISInstall action - logging passwords
Hi,
For the last days I've been trying to configure msi logging.
The goal is to have troubleshooting information, but at the same time to skip some sensitive properties.
After reading help and implementing all good practices like encrypting custom action data, hiding properties using MsiHiddenProperties and changing custom action type by adding 0x2000 to hide CustomActionData value there is one problem left.
In my project I create IIS web sites and application pools.
If the logging level (MsiLogging property) includes "i" (Information) or "v" (verbose) ISIISInstall logs a lot of information, including lines like the one bellow:
pass@word1 is the actual password used in the application pool identity or in anonymous user account.
Is there a way to hide these passwords without removing "i" and "v" from logging level?
For the last days I've been trying to configure msi logging.
The goal is to have troubleshooting information, but at the same time to skip some sensitive properties.
After reading help and implementing all good practices like encrypting custom action data, hiding properties using MsiHiddenProperties and changing custom action type by adding 0x2000 to hide CustomActionData value there is one problem left.
In my project I create IIS web sites and application pools.
If the logging level (MsiLogging property) includes "i" (Information) or "v" (verbose) ISIISInstall logs a lot of information, including lines like the one bellow:
InstallShield 07:29:08 ч.: PutPropertyValue: sProperty password sValue pass@word1 bIsPath 0
pass@word1 is the actual password used in the application pool identity or in anonymous user account.
Is there a way to hide these passwords without removing "i" and "v" from logging level?
(3) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Oct 03, 2011
03:26 AM
After some additional tests it looks like the problem is related to the IIS 7 specific code.
When the same installation is executed under Windows 2003 all passwords are appropriately masked.
Under Windows 7 however the password is visible in clear text.
Looks like a bug in IIS 7 related code.
When the same installation is executed under Windows 2003 all passwords are appropriately masked.
Under Windows 7 however the password is visible in clear text.
Looks like a bug in IIS 7 related code.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 23, 2012
09:12 PM
Did you open a support incident with Flexera?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 30, 2012
04:56 PM
I have opened a support incident last week, and received a work order #IOA-000069577.
There is a similar problem in ISXMLInstall where password in web.config is written to MSI install log. The work order # is IOA-000069605.
The behaviors are in both InstallShield 2011 with Hotfix A and 2012 SP1.
No ETA on a fix.
There is a similar problem in ISXMLInstall where password in web.config is written to MSI install log. The work order # is IOA-000069605.
The behaviors are in both InstallShield 2011 with Hotfix A and 2012 SP1.
No ETA on a fix.