5

I'm managing a bunch of IIS 8.5 servers and I'm working on complying with security baselines.

My question is this: If I run a specific appcmd query on one of our IIS servers, I get the following:

C:\>appcmd list config -section:system.web/authentication
<system.web>
  <authentication mode="Forms">
    <forms requireSSL="true">
      <credentials>
      </credentials>
    </forms>
    <passport />
  </authentication>
</system.web>

C:\>

What I need to do is find the actual configuration file that appcmd is reading from here, so I can update the relevant section manually (updating using appcmd itself causes all kinds of problems). I can't find it. I've checked the following files so far:

  • %SYSTEMROOT%\System32\inetsrv\config\applicationHost.config
  • %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config\web.config
  • %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
  • %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
  • %WEBROOT%\web.config
  • %WEBROOT%\old application path\web.config
  • new application path\web.config

I can't think of any other places to look. Most of those files don't even have a <system.web> section and none of them have the word "credentials" in them anywhere.

Where is appcmd reading from to generate the output above?


Edit:

I'm still looking into this, and just found the following here, which might be the answer:

Default Configuration

The following default credentials element is not explicitly configured in the Machine.config or root Web.config file. However, it is the default configuration that is returned by the application. <credentials passwordFormat="SHA1" />

Todd Wilcox
  • 2,831
  • 2
  • 19
  • 31

1 Answers1

3

Check:

%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

System.web is a dot.NET setting, so it should be in the global web.config file, it seems it is only in the 64bit version, not the 32bit framework.

Peter Hahndorf
  • 13,763
  • 3
  • 37
  • 58
  • 1
    Upvoted as a good place to check, not accepted as it isn't the right answer in this case. I added both the file you suggest and the machine.config in the same folder as places I've already checked. – Todd Wilcox Nov 17 '17 at 17:09
  • When I change the `system.web/authentication` settings in the GUI, it changes the file I mentioned. Can you confirm that? – Peter Hahndorf Nov 20 '17 at 06:03
  • I'm looking for the `` element specifically. Can you change that element in the GUI? If so, where? – Todd Wilcox Nov 20 '17 at 20:07
  • Can you edit your question to state what you are actually try to achieve? What settings do you want to change/add? – Peter Hahndorf Nov 21 '17 at 04:43
  • What I'm trying to achieve is an understanding of how this works so I can write an intelligent request for a waiver for the security and compliance team. They keep saying "just edit the file" and I'm like "just tell me what file to edit" and they don't know and I can't find it either. – Todd Wilcox Dec 04 '17 at 20:27