Ensure 'passwordFormat' is not set to clear (Scored)


I am currently working on PowerShell cmdlets to apply server hardening (more to IIS hardening) based on CIS benchmark framework.

my task is to relate the hardening steps which is in GUI from to PowerShell cmd to able to automate the hardening processes.

I need some help on this portion

" Ensure ‘passwordFormat’ is not set to clear (Scored)"
The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they’ve been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended that passwordFormat be set to a value other than Clear, such as SHA1.

Authentication credentials should always be protected to reduce the risk of stolen authentication credentials.

with all the information provided above, I tried to do up an automated script.

thus, I had some difficulties locating machine.config file <strong>via PowerShell</strong> to configure the passwordFormat from clear to sha1.

Really appreciate some help from those who have managed to do before to share some idea.

Thank you @Ratty


Are you planning to change machine.config directly ?
You should be using cmdlets(Set-WebConfigurationProperty) from WebAdministration module.

Hi kvparsoon,

Thanks for the response.

Yes, I am changing values within the machine.config file.

Well, the real difficulty is I am trying to figure out what is the path.

For Example,
Set-WebConfigurationProperty -Filter “/system.webServer/security/authentication/basicAuthentication” -Name Enabled -Value True

This cmdlet above allows to enables and disable (need to change the value a little to disable)

the basic authentications.



I am looking for the filters that direct me to the preferences I will want to change.

which will be changing the passwordFormat = Clear to PasswordFormat=Sha 1 in the machine.config file.


looking forward to your knowledge sharing

Thank you