Guy’s Scripting Ezine 128 – Script to obtain IUSR and IWAM Passwords.
- This Week’s Secret
- This Week’s Mission
- Example 1 – Script which obtains the IUSR Password
- Example 2 – Script which obtains the IUSR and IWAM Passwords
- Summary of PowerShell And Active Directory
♣
This Week’s Secret
Paul DeBrino has unearthed another gem of a script. What Paul’s script does is display the password for the Anonymous user accounts on your IIS server. Now until I tested the script I did not think it would be possible to discover these metabase passwords. My only sadness is that the script does not also reveal user account passwords stored in Active Directory. This is a specialist script to query the IIS metabase, note the key instruction:
GetObject ("IIS://localhost/w3svc")
This Week’s Mission
This Week’s Mission is to interrogate the IIS’s metabase and display the password for the IUSR_ServerName and IWAM_ServerName accounts. The metabase is a special file rather like the registry, but solely for IIS settings.
To put our mission in perspective, let us remember that files on a Windows IIS server, even html files, are subject to permission security. As people viewing the website from the internet are unlikely to have domain or even local accounts, Microsoft provide the Anonymous accounts IUSR_ServerName to allow visitors to see IIS web pages.
Now the relationship between the Anonymous accounts and the ‘Everyone’ group is tricky, a) The membership of Everyone changes in IIS, b) The Everyone group is not well understood by the average administrator. Therefore, I suggest that best would be to check the group Everyone for your version of Windows, this is the situation in Windows Server 2003: – By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users.
Example 1 – Script which obtains the IUSR Password
The purpose of this script is to extract, then display the IUSR_Servername account and password.
Prerequisites
You need to run the script on a Windows Server with IIS installed.
Instructions
- Instructions for decoding the IUSR password.
- Copy and paste the example script below into notepad or use a VBScript editor. E.g. OnScript.
- Save the file with a .vbs extension, for example: IUSR.vbs
- Double click IUSR.vbs, then check the message box for the passwords.
‘ Example VBScript to decode the anonymous user password
‘ Authors Guy Thomas and Paul DeBrino
‘ Version 1.2 – October 2006
‘ ———————————————————————-
Option Explicit
Dim objIIS, strMessage
Set objIIS = GetObject ("IIS://localhost/w3svc")
strMessage = "The metabase reports the anonymous credentials as:" _
& vbcrlf & " AnonymousUserName = " & objIIS.Get("AnonymousUserName") _
& vbcrlf & " AnonymousUserPass = " & objIIS.Get("AnonymousUserPass")
Set objIIS = Nothing
WScript.Echo strMessage
‘ END OF SCRIPT
Learning Points
Note 1: Here is the command that creates the crucial object: Set objIIS = GetObject ("IIS://localhost/w3svc"). Observe that it connects to IIS (Metabase) and not to Active Directory.
Note 2: Once we have the objIIS object then we can employ the ‘Get’ verb to extract the password.
Note 3: Obtain a good script editor which highlights keyword such as ‘Get, GetObject and Set’. Test a free download of OnScript.
Guy Recommends: Tools4ever’s UMRA
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
Example 2 – Script which obtains the IUSR and IWAM Passwords
This script reveals the password of both IUSR and IWAM_Machine IWAM is a separate anonymous account for connecting to the Web Application Manager. It’s used by COM+ applications needing to host ISAPI extensions. What IWAM does is allow the DLLHOST.exe to communicate with INETINFO.exe.
Pre-requisites
‘ Example VBScript to decode the anonymous user password
‘ Authors Guy Thomas and Paul DeBrino
‘ Version 1.3 – October 2006
‘ —————————————————————-
Option Explicit
Dim objIIS, strMessage
Set objIIS = GetObject ("IIS://localhost/w3svc")
strMessage = "The metabase reports the anonymous credentials as:" _
& vbcrlf & " AnonymousUserName = " & objIIS.Get("AnonymousUserName") _
& vbcrlf & " AnonymousUserPass = " & objIIS.Get("AnonymousUserPass") _
& vbcrlf & " WAMUserName = " & objIIS.Get("WAMUserName") _
& vbcrlf & " WAMUserPass = " & objIIS.Get("WAMUserPass")
Set objIIS = Nothing
WScript.Echo strMessage
‘ END OF SCRIPT
Guy’s Challenges
Investigate both the physical settings tab in your IIS server snap-in and also the documentation associated with the Metabase and the Anonymous accounts. If you are fascinated by the metabase then search Microsoft’s site and download MtaEdt32.exe.
Summary of obtaining IUSR and IWAM Passwords.
The IUSR and IWAM_Servername accounts are stored not in Active Directory, but in the metabase file. It is possible to run a VBScript to interrogate the metabase and reveal the passwords for these anonymous accounts.
See More Active Directory VBScripts for Passwords
• User Spreadsheet • Add Users to Groups • Create Users • Free CSV Importer • Ezines
• Ezine 11 Password • Ezine 22 Password • Ezine 50 PwdSetLast • VBS PwdLastSet
• Ezine 128 IUSR Passwords • VBScript change password • Log Management • Tool Kit