"Dylan Nicholson" <wizof***@hotmail.com> wrote in message
news:1191510657.740308.102980@w3g2000hsg.googlegroups.com...
> Running as an administrator, I can retrieve the account password
> stored by IIS for any application pool (using the WAMUserPass
> property).  But, unsurprisingly, an ASP.NET application running inside
> an application pool that is does not have administrator privileges
> can't even enumerate the list of application pools.
> I can access the application pool by hard-coding the name, but even
> then the WAMUserPass is an empty property value collection.
> This doesn't hugely surprise me, but it's somewhat frustrating - the
> reason I want access to this password is to schedule Windows Tasks
> with the same account, and for that I need the password.  Seeing as
> the password has already been configured and stored by IIS, I want to
> avoid needing to configure and store it elsewhere too.
> Unless there's another way around this...
>

On Oct 7, 9:39 pm, "Ken Schaefer" <kenREM***@THISadOpenStatic.com>
wrote:
> "Dylan Nicholson" <wizof***@hotmail.com> wrote in message
>
> news:1191753837.336887.274420@d55g2000hsg.googlegroups.com...
>
> > On Oct 5, 5:07 pm, "Ken Schaefer" <kenREM***@THISadOpenStatic.com>
> > wrote:
> >> What about running the web app pool as a user that has Administrator
> >> privileges?
>
> > Client insisted that this wasn't acceptable.
>
> OK - use the DPAPI API available with Windows to store/retrieve the
> password. That way you don't need to come up with your own secure storage
> mechanism for passwords.
>

On Oct 6, 1:59 am, "Kristofer Gafvert" <kgafv***@NEWSilopia.com>
wrote:
> Hello,
>
> Please see my answers inline
>
> Dylan Nicholson wrote:
> >Running as an administrator, I can retrieve the account password
> >stored by IIS for any application pool (using the WAMUserPass
> >property).  But, unsurprisingly, an ASP.NET application running inside
> >an application pool that is does not have administrator privileges
> >can't even enumerate the list of application pools.
>
> That is true, by default non-administrators cannot enumerate the list of
> application pools.
>
> >I can access the application pool by hard-coding the name, but even
> >then the WAMUserPass is an empty property value collection.
>
> That is also true. By default, non-administrators can access non-secure
> properties, but not secure properties.
>
> >This doesn't hugely surprise me, but it's somewhat frustrating - the
> >reason I want access to this password is to schedule Windows Tasks
> >with the same account, and for that I need the password.  Seeing as
> >the password has already been configured and stored by IIS, I want to
> >avoid needing to configure and store it elsewhere too.
> >Unless there's another way around this...
>
> I would run the scheduled application with a special user that has been
> setup specifically for this purpose. Then you can evaluate what
> permissions are needed, and run the application with a locked-down user
> account.
>