Looking for something?

Author: Tobias Zimmergren
URL: http://www.zimmergren.net

Introduction

Alright, so we’ve had a few discussions lately regarding securing your SharePoint environments. Not only did I have a discussion about this when I were conducting SharePoint training last week, but we also covered the aspect which is a base for this article: The Application Pool Password is stored in Clear Text.

If you read this article and the code associated, you’ll see how unsafe it can be to run your Application Pool accounts with too much permissions – which leads us in to the discussion about running a least-privileged installation of SharePoint, at all times!

Note: This can also be seen as a way of "recovering your application pool password".

Where can I get/retrieve my Application Pool Password?

Well, there’s plenty of ways to fetch your Application Pool password, but I’m going to give you two possible ways which is fairly easy. One of which you need to be an administrator on the local server, and one where you can be an anonymous user running a web part under elevated privileges .

  • Use the SharePoint Manager to get your Application Pool password
  • Find your Application Pool: image

Note: You’ll see that the password for your Application Pool is indicated in clear text, along with the name, ID, User Name etc.

  • Use the following SharePoint object model code to get your Application Pool password: image
  • Copy/Paste friendly code:

SPWebService webService =                 SPContext.Current.Site.WebApplication.WebService;

string appPoolName =                 SPContext.Current.Site.WebApplication.ApplicationPool.Name;  SPSecurity.RunWithElevatedPrivileges(delegate() {     var app = new SPApplicationPool(appPoolName, webService);     var lit = new Literal();     lit.Text += "Application Pool Name: " + app.Name;     lit.Text += " ";     lit.Text += "Application Pool Password: " + app.Password;     lit.Text += " ";     lit.Text += "Application Pool User Name: " + app.Username;     Controls.Add(lit); });

  • *This is what the Web Part would look like, even to anonymous users * image 

What can we do to secure our environments then?

First off, you should think about security before you install SharePoint. That’s for sure. Second, you should always perform a least-privileged installation of your SharePoint environment, meaning that e.g. the Application Pool account doesn’t get more permissions than needed.

To see some related articles on how you can correctly install your SharePoint environments, please have a read-through on the following articles:

Summary

This post was merely meant to be a follow-up to the discussions going on, and to enlighten you that there are some things we DO NEED TO CONSIDER with our SharePoint environments, even if they’ve been running fine for quite some time.

Just a heads up.

Z out.

Technorati Tags: Security,SharePoint,MOSS 2007,WSS 3.0,Microsoft,Least privilege

0 Comments 18 May 2009
Tobias Zimmergren

Tobias Zimmergren

Hi, I'm Tobias. I am a Microsoft MVP for SharePoint and I use this site to share my thoughts on tech with you on topics like SharePoint, Office 365, Azure and general web development.

  Malmö, Sweden

Related Post

Comments powered by Disqus
res.