none
HOWTO - hunt down all instances of a saved service account username ANYWHERE that it's saved in IIS RRS feed

  • Question

  • Hi

    A behemoth of an application which I shan't name (let's call it VoleStrangler for the sake of convenience) has configured a gazillion websites, app pools, virtual directories, COM+ objects, DCOM objects, Scheduled Tasks, entries in config files across multiple application servers... resulting in a massive proliferation of config files and whatnot containing the password for the ONE service account used right across the board.

    ALL instances of the account use need to be discovered, in order to ensure that every time the password is updated in AD, every instance of the password in an unmanaged location is refreshed.

    I've got rather a lot figured out. I can hunt down COM+ and DCOM objects across the network that are using that service account, and update the passwords. I can also hunt down any scheduled tasks which are using that account. I can even update (some) IIS app pools and virtual directories which are using the service account.

    But it's only IIS that is really grinding my gears. I have to explicitly tell PowerShell which paths to search into - and I keep finding objects in IIS that its internal logic simply seems to completely overlook.

    Even now I'm looking at 5 subsites which resolutely tell PowerShell that they're not even using the service account for anything - even though the IIS management UI says different. What's even more brilliant is, there doesn't appear to be any way to check which password is configured AND the built-in functions return diddly squat, so the only way to even validate a password rotation is to find the username, get the password, update the password with the new password, and then interrogate the whole ruddy thing all over again just to check that the old password WAS replaced with the new password.

    Does anybody out there have a more effective solution i.e. a far more efficient brute force "find any instance of this account being used ANYWHERE in IIS, tell me where you found it, and refresh the password" function?

    Because I've been trying for days to build one that'll actually work properly, without any success.

    Thanks in advance!


    Tim Staddon

    Thursday, August 22, 2019 2:53 PM

Answers

All replies