How to Use Encryption to Protect Passwords?

How to Use Encryption to Protect Passwords?

One effective way to protect passwords is using encryption. To do so, setting application pool and worker process isolation for IIS is needed. Application pool isolation protects data that WAS (which is the IIS local system process) needs to access, such as the passwords of application pool. Worker process isolation protects data that the application pool identity needs to access, like the passwords of anonymous user account.
 
Before proceeding, we provide sample codes here in order to make sure the process simple: Create a new RSA encryption provider and set the name of the default provider in machine.config.
 
Now go on to read the following detailed parts.

Create a New RSA Encryption Provider Application

1. Open your Windows Notepad and then create a file in createProvider.cs directory. Make sure that the file you create includes the code below:

using System;
using Microsoft.Web.Administration;
using System.Configuration;
 
namespace testingEncryption
{   
    public class createProvider   
    {
        public static void Main(string[] args)
        {
            String keyContainerName = args[0];
            String description = args[1];
            String providerName = args[2];
            System.Configuration.Configuration machineConfig =
            System.Configuration.ConfigurationManager.OpenMachineConfiguration();
            System.Configuration.ProviderSettings settings =
                new System.Configuration.ProviderSettings(providerName,
                "System.Configuration.RsaProtectedConfigurationProvider,
                System.Configuration,
                Version=2.0.0.0, Culture=neutral,
                PublicKeyToken=b03f5f7f11d50a3a");
            settings.Parameters["description"] = description;
            settings.Parameters["keyContainerName"] = keyContainerName;
            settings.Parameters["cspProviderName"] = String.Empty;
            settings.Parameters["useMachineContainer"] = "true";
            settings.Parameters["useOAEP"] = "false";
            settings.Parameters["name"] = providerName;
            ProtectedConfigurationSection pcSection =
                (System.Configuration.ProtectedConfigurationSection)machineConfig.GetSection ("configProtectedData");
            pcSection.Providers.Add(settings);
            machineConfig.Save();
        }
    }
}

2. Initiate an elevated command prompt. 
  • Click "Start".
  • Right-click the mouse on "Command Prompt".
  • Choose "Run as administrator".
3. Find the location that you placed the createProvider.cs file in the command prompt dialog box and then execute the command below to have your code compiled:
Use encryption to protect passwords-1

Create an Application to Alter the Default Provider 

1. Open your Windows Notepad and then create a file in setProvider.cs. Make sure that the file includes the code below:

using System;
using Microsoft.Web.Administration;
using System.Configuration;
namespace testingEncryption 
{
    public class setProvider
    {
        public static void Main(string[] args)
        {
            String provider = args[0];  // example: DataProtectionConfigurationProvider
            System.Configuration.Configuration machineConfig =
                System.Configuration.ConfigurationManager.OpenMachineConfiguration();
            ProtectedConfigurationSection pcSection =
                (System.Configuration.ProtectedConfigurationSection)machineConfig.GetSection("configProtectedData");
            string oldEncryptionProviderName = pcSection.DefaultProvider;
            Console.WriteLine("The default provider is currently: " + oldEncryptionProviderName);
            Console.WriteLine("Changing the default provider to: " + provider);
            pcSection.DefaultProvider = provider;
            machineConfig.Save();
        }
    }
}
2. Initiate an elevated command prompt:
  • Click "Start".
  • Right-click the mouse on "Command Prompt".
  • Choose "Run as administrator".
3. Find location that you placed the setProvider.cs file in the command prompt dialog box and execute the command below to have your code compiled:
Use encryption to protect passwords-2

Create User Accounts

Next, we will create 4 user accounts needed in the whole process. To start, open the command window which is operating under administrative authority with the given steps below:
  • Click "Start" menu.
  • Right click the "Command Prompt".
  • Choose "Run as administrator".
  • Perform the commands below in the command dialog box.

Use encryption to protect passwords-3
Application Pool Isolation

WAS is a process in IIS, which operates under the LOCALSYSTEM context. Besides, it is the only process that calls for access to the passwords of application pool. In this part, we need to do the following 4 things:

1. Create New RSA Key 

Create a new RSA key that only LOCALSYSTEM and Administrators can access to. The RSA key will be taken to encrypt the password of every application pool.
  • Click "Start" menu.
  • Right-click the "Command Prompt".
  • Choose "Run as administrator".
  • Find the location that you placed your createProvider.exe in the command dialog box and execute the command below:
Use encryption to protect passwords-4
Check whether these changes are correct. Open Windows Notepad and enter %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\config\machine.config in it. Then verify that the following contents are displayed in the new created provider:
Use encryption to protect passwords-5

2. Encrypt the Passwords of Application Pool 

When a property of application pool is encrypted, defaultProvider will be used for encryption created in machine.config. RsaProtectedConfigurationProvider is the default value for that encryption.
 
In this part, we will then take advantage of the setProvider.exe application set in the previous time to alter the provider to iisWasKey and alter the application pool passwords using the IIS Manager:
  • Click "Start" menu.
  • Right-click the "Command Prompt".
  • Choose "Run as administrator".
  • Find the location that you placed your setProvider.exe and execute the command below in the command dialog box:
Use encryption to protect passwords-6
The default provider has been changed successfully.

3. Create New Application pools

Here we will create 2 fresh application pools which we isolate them. To do this, start the IIS Manager:

1. Click "Start" and then enter "INetMgr.exe"(if prompted, click "Continue" to get your permissions elevated).

2. Click "+" beside your machine name in the "Connections" field.

3. Click "Application Pools".

4. Choose the task in "Add Application Pool".

5. Enter "AppPool1" under the "Name" field and click "OK":
Use encryption to protect passwords-7
6. Repeat all the previous steps but enter "AppPool2" in the "Name" field this time.

7. Now you can see the page below in the IIS Manager:
Use encryption to protect passwords-8
8. Notice the information for AppPool1 and AppPool2 is displayed as "NetworkService". Then we will change them to the accounts we created before by right-clicking the mouse on "AppPool1" and then choosing "Advanced Settings".

9. Under the "Process Model" section: 
  • Click the button that is on the right side of "Identity".
  • Click "Custom account" and click "Set..." in the "Application Pool Identity" window.
  • Enter the user name (AppPoolIdentity1) and password (password1) in the "Set Credentials" window. Then click "OK".
Use encryption to protect passwords-9
10. The "Identity" value now should appear like this:
Use encryption to protect passwords-10
11. Click the "OK" button.

12. Follow the above steps for AppPool2 but enter AppPoolIdentity2 as username and another password.

13. Now the following information will be present in the IIS Manager, and you can notice the changed information of application pool Identities as well.
Use encryption to protect passwords-11
14. Check the changed information by opening the %SystemRoot%\System32\Inetsrv\applicationHost.config file using Windows Notepad. Find the "applicationPools" field and then you can see that we have successfully encrypted the passwords of application pools using the Rsa_WAS key as expected: 

 password="[enc:Rsa_WAS:jAAAAAECAAADZgAAAKQAAAUkBfhWFbUHIt/qtlo+P7CiZC10r9H0DGBvAl
U2mhiOxMoHXX6Dz0S8TQjKx2YTKvuE8y+SBUWrEs3JYzXKOkY45Q9z6E/3BFvru5oR9uzbjInASKF/83N
N1tIEsoorQWmUOjnL4XM9RNzpqkY6TgyC3CyPUGN9fR7li5+AUupHHfgVPMzcLHfCsoq+ri+X6IbEnJdu
 cUEAYBn1P9F/Zxk=:enc]" />
 password="[enc:Rsa_WAS:jAAAAAECAAADZgAAAKQAAEbQEa/sAmyLbryAR0hD3voip2+0RfzM44sXPekp
 I2H7HYLzta55NfLcG8vSPHhasahKVgO4wcIcT03CLSn+5koWvAaIRdeClhXWK/X8ZQPFooOpyhOqT0TEP5v
 jB+DXAKgq0RC6ufHFtrHMy0U69ew7/49YXEcrkF+o8OJZ1K+EkgA3J2ikHKxW0pFBU0tFvLCjt2/UXypfNI
 0hYPe2syk=:enc]" />

4. Lock Down the Encryption Providers 

When the IIS_IUSRS are created, it is endowed read access to the keys by default. However, ASPNET_REGIIS tool can be used to remove the read access. In order to do that, run the commands below from the elevated command prompt:
Use encryption to protect passwords-12
This can remove IIS_IUSRS from reading the iisWasKey that is only mean for the access of Administrators and LOCALSYSTEM.

Worker Process Isolation

Next, configuring worker process isolation mode will come with adding 2 fresh sites. The two sites are concluded in different application pools with disparate anonymous authentication identities. Then we set up a new RSA encryption provider for every application pools to have the anonymous passwords encrypted.

1. Create New Sites

In the following, we will create 2 fresh sites and then add them to an application pool created in the previous time. To start, open the command which is operating under administrative authority using the given steps below:
  • Click "Start" menu.
  • Right-click the "Command Prompt".
  • Choose "Run as administrator".
  • Execute the command below to find the wwwroot directory in the command dialog box:
Use encryption to protect passwords-13
  • Use the commands below to create 2 new directories that is called "one" and "two" respectively:
Use encryption to protect passwords-14
Use encryption to protect passwords-15
  • Create a Default.htm file in the 2 directories that include the HTML code below:
Use encryption to protect passwords-16
Note that you should use "one" or "two" to replace "X" according to the file's directory location.
 
Then create 2 sites using the IIS manager:
1. Click "Start" and enter "INetMgr.exe" (if prompted, click "Continue" to get your permissions elevated).

2. Click "+" button beside your machine name in the "Connections" field.

3. Right click the mouse on "Site" under "Connections" and then click "Add Web Site".

4. Use the given data to set up your site now:
Use encryption to protect passwords-17
When completed you can see the following information.
Use encryption to protect passwords-18
5. Click "OK".

6. Repeat the above steps to create another site. Use the information below to create your second site this time:
Use encryption to protect passwords-19
Now you have created 2 sites called "One" and "Two", and added them to the AppPool1 and AppPool2 applications pools. The following are URLs used to test site one and site two: http://localhost:81 and http://localhost:82.

2. Create New Providers for Each Application Pool

In this part, we will set a new RSA provider for each application pool:
  • Click "Start" menu.
  • Right-click the "Command Prompt".
  • Choose "Run as administrator".
  • Find the location that you placed your createProvider.exe and run the command below:
 
Use encryption to protect passwords-20

3. Set the Anonymous Account for Site One & Site Two

In the elevated command prompt dialog box, run the commands below:
Use encryption to protect passwords-21
Use encryption to protect passwords-22
1. Go to IIS Manager and double click the mouse on site "One"/"Two".

2. Double click "Authentication" under "Feature Name".

3. Choose "Anonymous Authentication" and click "Edit" under the "Tasks" field. Then here appears the "Edit Anonymous Authentication Credentials" window.

4. Click "Specific User" and click "Set".

5. Enter the username (AnonymousAccount1/ AnonymousAccount2) and password (password3/password4) and click "OK".

6. Then a dialog box like this will appear:
Use encryption to protect passwords-23
7. Click "OK".

4. Reset the Encryption Provider to the Default

Go back to the elevated command prompt dialog box and execute the command below:
Use encryption to protect passwords-24
Note that the above change ensures that all future properties that encrypted employ the default provider.

5. Verify the Changes

Make sure what we did and what we expected is already done by opening the %SystemRoot%\System32\Inetsrv\applicationHost.config file using Windows Notepad:
 
Note that:
The passwords for both AppPool1 and AppPool2 are protected by the Rsa_Was key;
The passwords for AnonymousAccount1 and AnonymousAccount2 are protected by the Rsa_app1 key and Rsa_app2 key respectively:
Use encryption to protect passwords-25
Use encryption to protect passwords-26

6. Lock Down the Encryption Providers

Protect the file permissions for the keys as previously done. Run the commands below from the elevated command prompt window:
Use encryption to protect passwords-27
These commands will then remove IIS_IUSRS's ability to read keys and add only the application pool identity which requires access permission to the keys.

7. Test Your Sites

Now you need to test the 2 sites with the given two addresses: http://localhost:81 and http://localhost:82. In your test, everything should work well as it did before.

Summary

The tasks we did above achieve 2 goals: securing the application pool settings and isolating the settings of worker process. What we did ensured that the passwords for the application pools can be only read by the Administrators and the permitted SYSTEM accounts. As thus, when applications in an application pool try to re-obtain the passwords for their application pool, this attempt will fail. Besides, another thing ensured is that the identity of application pool can have the anonymous password decrypted.
Related Articles