PDA

View Full Version : Logging level for ISIISInstall action - logging passwords



vtchalkov
09-28-2011, 11:58 PM
Hi,

For the last days I've been trying to configure msi logging.
The goal is to have troubleshooting information, but at the same time to skip some sensitive properties.

After reading help and implementing all good practices like encrypting custom action data, hiding properties using MsiHiddenProperties and changing custom action type by adding 0x2000 to hide CustomActionData value there is one problem left.

In my project I create IIS web sites and application pools.
If the logging level (MsiLogging property) includes "i" (Information) or "v" (verbose) ISIISInstall logs a lot of information, including lines like the one bellow:


InstallShield 07:29:08 ч.: PutPropertyValue: sProperty password sValue pass@word1 bIsPath 0


pass@word1 is the actual password used in the application pool identity or in anonymous user account.

Is there a way to hide these passwords without removing "i" and "v" from logging level?

vtchalkov
10-03-2011, 03:26 AM
After some additional tests it looks like the problem is related to the IIS 7 specific code.
When the same installation is executed under Windows 2003 all passwords are appropriately masked.
Under Windows 7 however the password is visible in clear text.

Looks like a bug in IIS 7 related code.

TsungH
03-23-2012, 09:12 PM
Did you open a support incident with Flexera?

TsungH
03-30-2012, 04:56 PM
I have opened a support incident last week, and received a work order #IOA-000069577.

There is a similar problem in ISXMLInstall where password in web.config is written to MSI install log. The work order # is IOA-000069605.

The behaviors are in both InstallShield 2011 with Hotfix A and 2012 SP1.

No ETA on a fix.