2.8 Ensure 'credentials' are not stored in configuration files - Applications

Information

The <credentials> element of the <authentication> element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization.

Note: The <credentials> element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider.

It is recommended to avoid storing passwords in the configuration file even in form of hash.

Rationale:

Authentication credentials should always be protected to reduce the risk of stolen authentication credentials. For security reasons, it is recommended that user credentials not be stored an any IIS configuration files.

Impact:

Passwords in the configuration file will be stored in form of a hash.

Solution

Authentication mode is configurable at the machine.config, root-level web.config, or application-level web.config:

Locate and open the configuration file where the credentials are stored

Find the <credentials> element

If present, remove the section

This will remove all references to stored users in the configuration files.

OR

Enter the following command in PowerShell to configure:

Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.web/authentication/forms/credentials' -name '.'

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Windows

Control ID: 14a032246713a37dc19950d25e02072059b54c7a58254b518b27cf591965a17e