IIS Insider - March 2004

By Brett Hill

Is it Best Practice to Rename the Inetpub and Wwwroot Directories?

Q: We are updating security for IIS 5.0 servers in our environment. It has been suggested that we rename the Inetpub and wwwroot directories. We do not see the value add in doing this, could you provide some insight?

A: For a secure server, it is best if you do not use the standard directory names for the server. With IIS, an attacker does not necessarily know the underlying file structure of the IIS server. For example, if you map a web site root location to d:\websites\mywebsite and deliver the page default.asp when people access your server, the client has no ready way to determine that the default file resides in the d:\websites\mywebsite folder. If an attacker was able to obtain Write access to the server, they would like to write their own executable programs to the server which requires a location that has executable permission set for the user context the attacker is using. In the default configuration of IIS 5, there are several locations that gives Full Control permissions to Everyone, such as the \inetpub\scripts folder. Of course, these folders should be removed or modified and that's one of the tasks accomplished by the IIS Lockdown tool.

It is important to change the location of the web server files to a drive other than the system drive (where Inetpub is added by default). This prevents attackers from taking advantage of a potential canonicalization attack (i.e. fooling IIS by using ..\.. to traverse directories). As an added precaution, you can change the folder names from those provided by the default installation. This eliminates well known paths which makes it more difficult for attackers. Because this is simple to do (at least when you first install the server) and provides added security, it is considered a best practice and should be done where feasible.

Do You Need to Install Certificate Services to Create a Certificate for IIS?

Q: I need to install a certificate on my server in order to enable SSL. I'd rather not purchase a certificate as this is just for my intranet. Do I need to install Certificate Services to create a certificate for IIS?

A: That is one way to achieve your goal. When you install Certificate Services on an IIS server, it creates a virtual directory named Certserv that hosts a web based interface to certificate services. You can then generate a certificate request and paste it into the forms in the certificate services application which then issues you a certificate. You can find step-by-step instructions for this process in a number of places including Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0 and HOW TO: Configure SSL in a Windows 2000 IIS 5.0 Test Environment by Using Certificate Server 2.

Having said all that, if you are using IIS 6.0 and need to install a certificate for testing or internal use, you can do it in about 2 seconds with the use of the SelfSSL utility from the IIS 6 Resource Kit. Just type SelfSSL at the command line and it will instantly install a self-signed certificate on the default web site. You can install a certificate on other sites and control the contents of the certificate including the common name and expiration date using command-line switches. See the SelfSSL documentation for exact details.

If you are not using IIS 6 yet, then you can use the SSLDiag tool available from the Microsoft Download Center. Be sure to download the full setup.exe package in order to get the SSLDiag documentation. To install a certificate on a web site, right-click the Web site level (shown by [W3SVC/<site number>]) in the main window of SSL Diagnostics, and then click Create New Certificate. This tool does not give you the ability to customize the certificate, but does allow you to install an automatically-generated certificate – intended to be used for testing purposes.

While these tools will create self-signed certificates, if you need self-signed certificates with a greater degree of control over content (for example – to issue client certificates for an extranet ) – then Certificate Services is the way to go. If you need your web sites to provide a trusted SSL connection for anonymous users, then you will need to purchase certificates from a trusted Certificate Authority.

How Do You Create Web Folders on the Server?

Q: We have an IIS 5 server and would like to use web folders to publish content to the server. I can find information on how to create a web folder on the client systems, but how do I create a web folder on the server? Also, after it's configured, can we map a drive to the server with net use and copy content to the server with xcopy?

A: Using web folders can be very convenient. If you're not familiar with the concept of web folders, it is essentially a folder like one for a directory in Explorer, but the content is on an IIS server. Once created, you can drag and drop content to the web folder, rename files, and otherwise manage content on the IIS server just like you would a local folder, except that you're using Http. This gives you a very convenient way to publish content to IIS without using FTP or other specialized mechanism.

Unfortunately, the full story on web folders (WebDAV) is pretty complicated. As a result, it is difficult to implement a company wide system for publishing using web folders in a diverse environment. The specifics are dependent on what client operating system you are using to talk to which version of IIS; and, are Front Page Server Extensions installed on the IIS server? For your example, we'll presume you are using IIS 5 and Windows XP Professional as the client operating system, and FrontPage Server Extensions are not installed (when FrontPage Server Extensions are on the server, they provide web folder functionality instead of the native provider).

First, let's clear up a couple of misconceptions. Web Folders are created on the client so you do not create a web folder on the server. On the server side, you simply need to identify what location you want client to place their files when using web folders and configure the folder with appropriate NTFS permissions. You also need to configure IIS to permit the Write permission and configure authentication to your needs.

Since you're using Windows XP Professional, you must place this content in a directory on the IIS server. In other words, you cannot have the web folder URL be http://servername. This is a peculiar requirement of the WebClient service on Windows XP Professional, which provides web folder functionality through the net use command.

If all this is set up correctly in Windows XP Professional, you can go to a command prompt and type:

net use * http://servername/foldername

and a drive will be mapped to the IIS server. You can then use xcopy to move content to IIS. Keep in mind that the mapped drive is part of the user's profile and will not be present if a new user logs on to the computer.

Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months' questions and answers on IIS Insider columns, click here.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.