Hi,
We are facing following issue with encrypted passwords stored in the applicationHost.config file.
It seems that when we use "appcmd.exe" or PowerShell query to get information about IIS application pools, the encrypted passwords are automatically decrypted and shown in clear text. Its serious security risk.
The Application Pool identity is configured using a custom account e.g. a domain user account/password. IIS version is 7.5 and server is Windows Server 2008 R2. We need custom domain account because we want to access Sql Server remotely with windows authentication.
We tried to encrypt passwords using RSA encryption technique using this article (http://www.iis.net/learn/manage/configuring-security/using-encryption-to-protect-passwords), but it doesn't seem to work as expected. By that I mean that the passwords are still shown in clear text when we used appcmd.exe or PowerShell commands
Is there any way to ensure that the passwords stored in the applicationHost.config file are not decrypted by appcmd.exe or PowerShell commands ? Or there are any other approaches that we can use ?