2.7 Ensure 'passwordFormat' is not set to clear - Default

Information

The <credentials> element of the <authentication> element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization.

Note: The <credentials> element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider.

It is recommended that passwordFormat be set to a value other than Clear, such as SHA1.

Rationale:

Authentication credentials should always be protected to reduce the risk of stolen authentication credentials.

Impact:

passwordFormat will be encrypted.

Solution

Authentication mode is configurable at the machine.config, root-level web.config, or application-level web.config:

Locate and open the configuration file where the credentials are stored

Find the <credentials> element

If present, ensure passwordFormat is not set to Clear

Change passwordFormat to SHA1

The clear text passwords will need to be replaced with the appropriate hashed version.

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.web/authentication/forms/credentials' -name 'passwordFormat' -value 'SHA1'

Default Value:

The default passwordFormat method is SHA1.

See Also

https://workbench.cisecurity.org/files/4131