PDA

View Full Version : IIS App Pool Password still logged



klad325
06-24-2012, 10:13 PM
I'm a newbie to the IS world, but I can't seem to figure out what I'm doing wrong. I have a basic MSI project setting up an IIS site and application pool as a named user (stored as a public windows installer property as the result of a dialog--yes, the password bit is set). I added the property APP_POOL_PASSWORD to the MsiHiddenProperties property, but I still see the password logged in plaintext to the install log when my app pool is created:


InstallShield 22:48:21: CommitChanges for path 'MACHINE/WEBROOT/APPHOST' and physical path 'C:\Windows\system32\inetsrv\config\'.
InstallShield 22:48:21: SetVRtStrProperty for property '7502' with value '********'.
InstallShield 22:48:21: GetAdminSection for section 'system.applicationHost/applicationPools' and path 'MACHINE/WEBROOT/APPHOST' and commitpath 'MACHINE/WEBROOT/APPHOST'.
InstallShield 22:48:21: Found element with property 'name' value of: MyProduct 7.0 AppPool
InstallShield 22:48:21: PutPropertyValue: sProperty password sValue ******** bIsPath 0
InstallShield 22:48:21: PutPropertyCommon: sProperty password sValue PASSWORDINPLAINTEXT!!! bIsPath 0
InstallShield 22:48:21: Setting property 'password' to value '********' for element 'processModel'. Old value: '********'. m_sSectionName : 'system.applicationHost/applicationPools'.
InstallShield 22:48:21: put_value succeeded. get_StringValue now returns '0' with string value '********'.


I thought this issue had been fixed based on reading the 2012 Spring release notes:
IOA-000069577 (Basic MSI, InstallScript MSI)
"If your installation creates an IIS application pool identity that was configured in the Internet Information view, the installation no longer includes the application pool's identity password in the Windows Installer log file when the password is stored as the value of a Windows Installer property."

What am I missing? Passwords should never be logged!

TsungH
07-16-2012, 08:29 PM
I just installed IS2012 Spring Standalone Build earlier today after spending weeks with IS Sales on getting a download link (we have Maintenance plans), and confirmed this behavior in IS2012 Spring SAB as well. This bug has been around since IS2011 (I opened a support ticket #SIOC-000123698), and also in IS2012 and SP1.

Also XML Changes will write value of properties in plain text to MSI log, even when the properties are added to MsiHiddenProperties.

klad325
07-17-2012, 04:42 PM
Thanks, TsungH. Glad to know I'm not crazy...(yet!).

I'll open a support ticket too, though given that you've been waiting for this fix since IS2011 I'm not particularly optimistic it will happen any time soon :mad:

For now I guess I'll have to remove it from the installer and have our installation team set the password manually for each of our deployments (ouch!)

JMiera
07-17-2012, 05:49 PM
I see exactly the same issue. This bug seems to appear and disappear every other year or so. :(

If you do get a resolution from Flexera, please post here also.