The Biden administration is making a Software Bill of Materials (SBOM), an electronically readable format designed to pr

Security by obscurity is not enough by itself. You should always enforce the best practices. However, if you can reduce the risk with zero cost, you should do that. Obscurity is a good layer of security. https://utkusen.com/blog/security-by-obscurity-is-underrated

This afternoon, I’m attending the funeral for a coworker we lost last weekend. Over the course of the next week or two, we’ll be assisting his family gain access to the many online services he had managed. Each time I’ve experienced a tragedy like this, I’ve seen the families struggle with the digital footprint and account access of their lost loved one. Like life insurance, emergency access to online services is too often an item on our to-do list, rarely ever getting completed. Password managers help families in these situations. They act as a consolidated list of the accounts making up one’s digital footprint. However, if emergency access has not been set up, they provide no help and access becomes a major hurdle to overcome for a grieving family.

I came across an undocumented app the other day. For a number of reasons, we needed to restore the password but it wasn’t documented anywhere. Luckily, the service account was setup in an app pool. In IIS 7.0 or 7.5, APPCMD can be used to recover the password. In 6.0, adsutil.vbs can be used. cscript.exe /nologo adsutil.vbs GET W3SVC/AppPools/AppPoolName/WAMUserPass However, I wanted to write my own little script. Having a little tidbit makes it easy to reuse later for other clients. For example, I could search AD for SPNs starting with “HTTP”, loop through each of their app pools and document the username and passwords for all service accounts used in this fashion. So, here is the little tidbit I threw together.