How Does Aspnet_regiis Generate Keys
- Well, the export off the target server would decrypt the passwords. If the destination server has encrypted sites already, those won't work. I am assuming this is a new server.
- The problem turned out to be related to the Permissions of the 'C: Users All Users Microsoft Crypto RSA MachineKeys' folder. Making sure the commands are executed using a user that belongs to the administrator group on the machine, and that the administrator group is the owner of that folder, enabled those commands to execute successfully.
- Both the aspnetregiis -pi command (importing the private key) and the aspnetregiis -pa (granting access to the private key) worked without problems there. On the test environment that runs Windows 7, I have been able to successfully import the private key into the key container using aspnetregiis -pi.
by Saad Ladki
Introduction
This document provides an overview of the steps required for setting both application pool and worker process isolation for IIS 7.0 and above servers. Application pool isolation entails protecting data that WAS (the IIS local system process) needs to access. An example of this data is the application pool passwords. Worker process isolation, on the other hand, entails protecting data that the application pool identity needs to access. An example of this data is the anonymous user account password.
Then in the following window in the “Actions” bar on the right, click “Generate Keys”, followed by “Apply”. Now, open your deployed web.config file and verify that there is an entry called. What this does is insert a key into the web.config file of the selected application, allowing its sections to be encrypted and decrypted by IIS.
Prerequisites
To help simplify this process, two pieces of sample code are provided that:
- Create a new RSA encryption provider in machine.config.
- Set the name of the default provider in machine.config.
The final prerequisite section guides you in setting up four User accounts that will be used in later topics.
Creating a New RSA Encryption Provider Application
Open Windows Notepad and create a file in a directory of your choosing named createProvider.cs that contains the following C# code:
Next, launch an elevated command prompt:
- Click the Start menu.
- Right-click Command Prompt.
- Select Run as administrator.
In the command prompt Window, navigate to the where location you saved the createProvider.cs file and run the following command to compile your code:
%SystemRoot%Microsoft.NETFrameworkv2.0.50727csc.exe /reference:%SystemRoot%System32inetsrvMicrosoft.Web.Administration.dll createProvider.cs
This step is now complete.
Creating an Application to Change the Default Provider
Open Windows Notepad and create a file in a directory of your choosing named setProvider.cs that contains the following C# code:
Next, launch an elevated command prompt:
- Click the Start menu.
- Right-click Command Prompt.
- Select Run as administrator.
In the command prompt Window navigate to the location you saved the setProvider.cs file and run the following command to compile your code:
%SystemRoot%Microsoft.NETFrameworkv2.0.50727csc.exe /reference:%SystemRoot%System32inetsrvMicrosoft.Web.Administration.dll setProvider.cs
This step is now complete.
Creating User Accounts
In this step, we create four new user accounts that will be used throughout this document.
To begin, open a command shell Window running under administrative rights using the following steps:
- Click the Start menu.
- Right-click Command Prompt.
- Select Run as administrator.
- In the command window, execute the following commands:
This step is now complete.
Application Pool Isolation
IIS has a process called WAS that runs under the context of LOCALSYSTEM and is the only process that needs access to the application pool passwords. In this task, we:
- Create a new RSA key (iisWasKey) that only LOCALSYSTEM and Administrators have access to. This key will be used to encrypt every application pool's passwords.
- Create two application pools.
- Configure each of these application pools to run under different identities and encrypt their passwords using the iisWasKey.
- Restrict NTFS file system permissions on the key files so only SYSTEM and Administrators have access.
Create New RSA Key
- Click the Start menu.
- Right-click on Command Prompt.
- Select Run as administrator.
- In the command window navigate to where you saved your createProvider.exe and run the following command:
Verify that these changes occurred correctly. Open your %SystemRoot%Microsoft.NETFrameworkv2.0.50727configmachine.config
using Windows Notepad and verify the lines to the section are present for the new provider:
Encrypt the Application Pool Passwords
By default, whenever a property is encrypted, IIS uses the defaultProvider for encryption defined in machine.config. The default value for this is RsaProtectedConfigurationProvider.
In this step, we use the setProvider.exe application created earlier to change the provider to iisWasKey and then use the IIS Manager to change the passwords:
- Click the Start menu.
- Right-click on Command Prompt.
- Select Run as administrator.
- In the command window navigate to where you saved your setProvider.exe and run the following command:
The default provider Rsa_WAS has been successfully changed.
Create New Application Pools
Aspnet Regiis Example
In this step, we create two new application pools that we isolate from one another. To do so, launch the IIS Manager:
Click Start, and type 'INetMgr.exe' and press Enter (if prompted, select Continue to elevate your permissions).
Click the + button beside the name of your machine in the Connections section.
Click Application Pools.
Select the task on the right titled Add Application Pool.
Input the Name 'AppPool1' and then press OK as shown:
Repeat previous steps but this time use the name AppPool2.
You now see the following screen within the IIS:
Notice how the identity for both AppPool1 and AppPool2 are NetworkService. We will change this to be the accounts we created earlier by right clicking AppPool1 and then selecting Advanced Settings
Under the title Process Model:
Click the button to the right of the words Identity.
In the Application Pool Identiy window select the 'Custom account' radio button and click the 'Set..' button.
Input the following user name and password in the Set Credentials dialog.
user name: AppPoolIdentity1
password: password1
Now the Identity value should appear as shown below:
Click OKCisco crypto key generate rsa 2048. to save your changes.
Repeat the previous step for AppPool2 and user the user name 'AppPoolIdentity2' and the password 'password2'.
You see the following displayed in the IIS Manager (mainly the Identities for the application pools have changed):
Verify the changes by using Windows Notepad and opening the
%SystemRoot%System32InetsrvapplicationHost.config
file. Navigate to the applicationPools section and you see that we encrypted the application pool passwords using the Rsa_WAS key as intended:
Locking Down the Encryption Providers
By default, the IIS_IUSRS is given read access to the keys when they are created. However, you can use the ASPNET_REGIIS tool to remove that access. To do so, run the following commands from the elevated command prompt:
This removed IIS_IUSRS (the application pool identities group) from being able to read the iisWasKey which is intended for only Administrators and LOCALSYSTEM access.
Worker Process Isolation
This topic tells how to setup worker process isolation by creating two new sites that are part of different application pools and have different anonymous authentication identities. We then create a new RSA provider for each application pool to encrypt the anonymous passwords.
Create New Sites
In this section, we create two new sites and add each site to an application pool we created earlier. To begin, open a command shell running under administrative rights using the following steps:
Click the Start menu.
Right-click Command Prompt.
Select Run as administrator.
In the command window, navigate to your wwwroot directory using the following command:
Create a new directory named 'one' and a directory 'two' using the following commands:
Create a basic Default.htm file in both the 'one' and 'two' directories that contain following HTML code:
Note
Replace 'X' with either 'one' or 'two' depending on the directory location of the file.
Now use the IIS manager to create two sites:
Click Start, type INetMgr.exe and press Enter (if prompted, select Continue to elevate your permissions).
Click on the + button beside the name of your machine in the Connections section.
Right click Site in the tree view under Connections and then select Add Web Site.
Use the following information to create your site:
Web Site Name: One
Application Pool: AppPool1
Physical Path: {location of your inetpub directory}wwwrootone
Port: 81This should look like the following when completed:
Click OK to save the changes.
Repeat the previous two steps but this time use the following information for the second site:
Web Site Name: Two
Application Pool: AppPool2
Physical Path: {location of your inetpub directory}wwwroottwo
Port: 82
You have now created two new sites named One and Two, and added them to the AppPool1 and AppPool2 applications pools.
The URLs to test your sites are:
http://localhost:81
for site Onehttp://localhost:82
for site Two
Create New Providers for Each Application Pool
In this section, we create a new RSA provider for each of the application pools:
Click the Start menu.
Right-click Command Prompt.
Select Run as administrator.
In the command window execute, navigate to where you saved your createProvider.exe and run the following command:
Set the Anonymous Account for Site One
In your elevated command prompt Window, run the following command:
Return back to IIS Manager and double click site One.
Double click the Authentication item under the Feature Name heading.
Select Anonymous Authentication and then click Edit under the Tasks heading on the right side which brings up the Edit Anonymous Authentication Credentials dialog box.
Click the Specific User option and then click the Set button.
Generate private.key with jwt. Input the username AnonymousAccount1 and password password3 and select OK.
This brings up the following dialog box:
Press OK to save your changes.
Set the Anonymous Account for Site Two
In your elevated command prompt Window, run the following command:
- Return back to IIS Manager and double click on site Two.
- Double click the Authentication item under the Feature Name heading.
- Select Anonymous Authentication and then click Edit under the Tasks heading on the right side which brings up the EditAnonymous Credentials dialog box.
- Click the Specific User option and click Set.
- Input the username AnonymousAccount2 and password password4 and select OK.
- Click OK to save your changes.
Reset the Encryption Provider to the Default
- Return to your elevated command prompt Window and run the following command:
Note
This change ensures that all encrypted future properties use the default encryption provider.
Verify the Changes
Verify that what we wanted did happen. Using Windows Notepad, open the %SystemRoot%System32InetsrvapplicationHost.config
file:
Notice that the password for AppPool1 and AppPool2 are both still protected with the Rsa_Was key.
Notice that the password for AnonymousAccount1 is also protected with the Rsa_app1 key:
Finally, note that the AnonymousAccount2 password is also protected with the Rsa_app2 key:
Locking Down the Encryption Providers
Secure the file permissions for our keys, as done previously, above. Run the following commands from the elevated command prompt:
These commands have removed the ability of IIS_IUSRS to read the keys and added only the application pool identity that needs access permission to the keys.
Aspnet Regiis I
Testing Your Sites
Now test your sites:
http://localhost:81
http://localhost:82
Everything should continue to work as it had before.
Summary
In summary, we performed the following tasks to secure the application pool settings:
- Created two application pools
- Created two local user accounts and configured them as the application pool identities
- We created an Administration encryption key and used it to protect all the application pool identities passwords
- We used ASPNET_REGIIS to remove IIS_IUSRS (the application pool identities group) from accessing the key
These tasks effectively ensured that only the Administrators and SYSTEM accounts can read the passwords for the application pools. Therefore, if applications within an application pool tried to retrieve the passwords for their (or any) application pool, the attempt would fail.
To isolate the worker process settings, we:
- Created a new anonymous identity account
- We created a new provider for the application pool
- We encrypted the anonymous authentication password with the application pool key
- We removed access to the anonymous authentication provider for IIS_IUSRS and granted access to just the application pool identity
This effectively ensured that the application pool identity can decrypt the anonymous password it belongs too and no one else.
-->Azure Key Vault helps solve the following problems:
- Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
- Key Management - Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
- Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
- Store secrets backed by Hardware Security Modules - The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validated HSMs
Why use Azure Key Vault?
Centralize application secrets
Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked. When using Key Vault, application developers no longer need to store security information in their application. Not having to store security information in applications eliminates the need to make this information part of the code. For example, an application may need to connect to a database. Instead of storing the connection string in the app's code, you can store it securely in Key Vault.
Your applications can securely access the information they need by using URIs. These URIs allow the applications to retrieve specific versions of a secret. There is no need to write custom code to protect any of the secret information stored in Key Vault.
Securely store secrets and keys
Secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.
Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.
Authentication is done via Azure Active Directory. Authorization may be done via role-based access control (RBAC) or Key Vault access policy. RBAC is used when dealing with the management of the vaults and key vault access policy is used when attempting to access data stored in a vault.
Azure Key Vaults may be either software- or hardware-HSM protected. For situations where you require added assurance you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. Microsoft uses nCipher hardware security modules. You can use nCipher tools to move a key from your HSM to Azure Key Vault.
Finally, Azure Key Vault is designed so that Microsoft does not see or extract your data.
Monitor access and use
Once you have created a couple of Key Vaults, you will want to monitor how and when your keys and secrets are being accessed. You can monitor activity by enabling logging for your vaults. You can configure Azure Key Vault to:
- Archive to a storage account.
- Stream to an event hub.
- Send the logs to Azure Monitor logs.
You have control over your logs and you may secure them by restricting access and you may also delete logs that you no longer need.
Simplified administration of application secrets
When storing valuable data, you must take several steps. Security information must be secured, it must follow a life cycle, and it must be highly available. Azure Key Vault simplifies the process of meeting these requirements by:
- Removing the need for in-house knowledge of Hardware Security Modules.
- Scaling up on short notice to meet your organization's usage spikes.
- Replicating the contents of your Key Vault within a region and to a secondary region. Data replication ensures high availability and takes away the need of any action from the administrator to trigger the failover.
- Providing standard Azure administration options via the portal, Azure CLI and PowerShell.
- Automating certain tasks on certificates that you purchase from Public CAs, such as enrollment and renewal.
In addition, Azure Key Vaults allow you to segregate application secrets. Applications may access only the vault that they are allowed to access, and they can be limited to only perform specific operations. You can create an Azure Key Vault per application and restrict the secrets stored in a Key Vault to a specific application and team of developers.
Aspnet Regiis Decrypt
Integrate with other Azure services
As a secure store in Azure, Key Vault has been used to simplify scenarios like:
How Does Aspnet_regiis Generate Keys In Excel
- The always encrypted functionality in SQL server and Azure SQL Database
- Azure App Service.
Key Vault itself can integrate with storage accounts, event hubs, and log analytics.