Information
By default, whenever a property is encrypted, IIS uses the defaultProvider for encryption defined in machine.config. The IIS local system process (WAS) runs under the context of LOCALSYSTEM and needs access to the application pool passwords. However, by default the IIS\_IUSRS security group is granted read access. It is recommended that the IIS\_IUSRS group have access to the iisWasKey revoked.
Rationale:
The iisWasKey is intended for access only by Administrators and SYSTEM. Since the IIS\_IUSRS group is granted read access, an attacker compromising an application set to use a principal in the IIS\_IUSRS group could potentially gain access to the encryption key(s). Revoking this unnecessary privilege will reduce attack surface and help maintain confidentiality and system/application integrity.
Solution
Removing access to the iisWasKey can be done by using an aspnet\_regiis.exe command. The syntax is as follows, and is dependent on the version of .NET being used:
%systemroot%\Microsoft.NET\Framework<bitness (if not the 32 bit)>\<framework version>\aspnet_regiis.exe -pr iisWasKey IIS_IUSRS
To remove read access to the IIS\_IUSRS security group on a system using .NET Framework v2.0:
Open an elevated command prompt
Run the following aspnet\_regiis.exe command:
%systemroot%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pr iisWasKey IIS_IUSRS
If running a 64-bit system, also run the following:
%systemroot%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -pr iisWasKey IIS_IUSRS
Note: A unique version of aspnet\_regiis.exe is included with each version of the .NET Framework. Since each version of the tool applies only to its associated version of the .NET Framework, be sure to use the appropriate version of the tool.