How To Monitor IIS App Pool Password Changes

Question

I have run into an issue where a single sites App Pool Identity password is being randomly changed to the password of a different App Pool Identity. The App pool ID username does not change just the password. The IIS logs and Event Viewer logs show only errors that are caused as a result of the change just not when the change actually occurred or what caused it. Is there a way I could monitor or log more complete changes to this specific site?

I rebuilt the site twice and the issue is still occurring so something/ some account is causing this to change and I need to figure out why. I usually go in and manually change it to the correct password but it will change again sometime throughout the day.

Some more info:

The site is on a VM using Windows Server 2012 R2 Standard. We are using IIS Version 8.0.9200. The App Pool Identity for all sites are using a unique Domain Accounts specific to the site.

We have 5 other similar sites built exactly the same that the issue does not occur for.

ex:

somesite1.com 
somesite2.com
somesite3.com
somesite4.com
somesite5.com

Each site uses a unique App Pool ID and Password.

ex:

somedomain\SomeSite1WebService     
somedomain\SomeSite2WebService
somedomain\SomeSite3WebService
somedomain\SomeSite4WebService
somedomain\SomeSite5WebService

The issue is when SomeSite4's App pool ID password changes to the password for somedomain\SomeSite5WebService.

This can't happen on its own; something is obviously messing with your app pool config. — Massimo, Nov 28 '18 at 19:40
BTW, please add some relevant information; at the very least, which OS you are using and if the involved accounts are local or domain ones. — Massimo, Nov 28 '18 at 19:41

score 1 · Answer 1 · answered Nov 28 '18 at 22:04

Look in the event log on your domain controllers for event ID 627, 628, 4723 or 4724. These events are logged when a user changes their own password or an admin resets a password. (If you don't see these events, then you need to turn on logging for them, see https://www.netwrix.com/how_to_detect_password_changes.html)

In those events, it will tell you who changed the password and from what machine.

You should also consider creating a new user account for SomeSite5WebService with a different username. That might stop the problem from happening, and whatever process is changing the password will fail, and that might result in an error that you will notice.

I had our domain admins check on this since I do not have access to the DC's and there is no recorded password change. The password does not change in AD only on the App Pool ID. There is another similar site on a different server in the same environment using this domain account that does not change. There seems to be a local script or process that is changing the App Pool Identity for this site only. The only way I knew the password was changed was when I ran my Powershell script, I saw it was not the same in AD. I want to monitor App Pool changes to this site — sec_eng1, Nov 29 '18 at 16:50

How To Monitor IIS App Pool Password Changes

1 Answers1