1

We want to implement a feature similar to IIS in how it remembers user configured usernames and passwords. As I understand it, when you configure IIS to use a set of credentials for an app pool identity and run under the context of that identity using those credentials (username and password), it also then stores the credentials so that when the machine restarts, you don't need to manually re-configure it in order for it to continue using those same credentials.

However, since the credentials are persistent, this means that any user who can access the persistent storage (be it the file system or some other form of storage) could potentially extract the username and password. Is this an security issue? How does IIS resolve this issue? If it only saved a token, which would result from the username and password for authentication, it wouldn't work because you would also be extract the token and use it.

Xander
  • 35,525
  • 27
  • 113
  • 141
ZijingWu
  • 111
  • 3

1 Answers1

2

It doesn't. This is why the service accounts should only have the minimum level of permissions necessary. If the application server is compromised, so are the service accounts that it has access to. I'm pretty sure even an HSM couldn't help any since the system needs to be able to get the password out of whatever storage to submit to network resources.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Is it possible set the password in HSM, and using Challenge–response authentication. After get the server challenge, using the HSM do the hash or encrypt or decrypt, and send back to server to convince it you have access right. – ZijingWu Sep 02 '13 at 08:27
  • @ZijingWu - only if there is some HSM available that can respond to the authentication requests of whatever authentication system you are using directly. The key would be that you would have to put it in the HSM in a way that the password is never released. I'm not aware of any such option, but that doesn't mean one might not exist somewhere. – AJ Henderson Sep 02 '13 at 16:27