Context: I'm trying to use a custom windows account for application pool, and enable Oracle OS authentication so that we would not have to store DB username and password in a config file.
Problem:
This setup works, however, I've noticed that I am able to 'recover' password using appcmd.exe. Is there a way to make sure someone with administrative and physical access cannot read the password in plain text?
This is a Windows 2016 machine, IIS 10. Password looks encrypted when looking into applicationHost.config file.
Following command shows the password:
%systemroot%\system32\inetsrv\appcmd.exe list apppool "ImoAppPool" /text:*
