If you are running IIS (Which is the default web server for windows if you install the web server role) and you have an application that uses ASP or ASP.net And you need to run that application with a domain account.
IIS + Application Pool + Domain Account = Clear Text Passwords
You need to be aware of the fact that IIS will store your service account credentials in clear text, even though they are encrypted, if you query your application pool with the command below:
appcmd list apppool <ApplicationPoolName> /text:*
You will get as an example something back like this:
The response looks pretty normal there is nothing malicious or you have no data that could be used to escalate your privileges as you are getting "access denied"
Evevated Access Required
Hold that thought Skeletor , if you run the command prompt as an elevated administrative user, the elevation has the necessary permissions to decrypt the password and displayed on your screen in clear text.
Then we try this command again:
appcmd list apppool <ApplicationPoolName> /text:*
The horror of clear text passwords
The results show the password in clear text along with the username as well:
Yes they are encrypted, but elevated access can decrypt
If, however, your application pulls are linked to local accounts this problem does not occur, This only seems to affect the way the main based accounts are stored in IIS - this particular problem seems to affect all versions of IIS even if you include in the applicationHost.config this IISWASOnlyAesProvider as the encryption provider.
Issue is not fixed - use caution
Currently, there is no way around this if a user has administrative access to the server and domain based service account used in an application port will have its password available and clear text.
Issue from a security lens
This is bad enough, but what if a developer decided to give that "service account" the role of Domain Admin access, that would more a nightmare as now you can utilised privilege escalation into the mix and before you know it - you can make your account a Domain Admin, then from there its pretty much game over for your domain.
Advice
The best protection you have where you have application pools using the domain account is to limit the people that can access both locally and remotely your IIS servers - we are no longer in a world where everybody needs to have full administrative access.