Storing Content on a Dedicated Disk Volume

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Store the files and folders that comprise the content of your Web sites and applications on a dedicated disk volume that does not contain the operating system. Doing this helps prevent directory transversal attacks. Directory transversal attacks occur when an attacker attempts to send the Web server a request for a file that is located in another directory structure.

For example, Cmd.exe exists in the systemroot\System32 folder. Without the appropriate security settings, an attacker might be able to make a request to systemroot\System32\Cmd.exe and invoke the command prompt. If the Web site content is stored on a separate disk volume, such a directory transversal attack cannot work because Cmd.exe does not exist on the same disk volume. The default NTFS permissions for Windows Server 2003 prohibit anonymous users from executing or modifying any files in the systemroot folder and subfolders, so that only an unauthorized authenticated user can perform this type of attack.

In addition to security concerns, placing the content on a disk volume that is dedicated to Web site and application content makes administration tasks, such as backup and restore, easier. In cases where you store the content on a separate physical drive that is dedicated to the content, you will reduce the disk contention on the system volume and improve overall disk access performance. Ensure that the dedicated disk volume is formatted as NTFS.

To help protect your Web sites and applications, store content on dedicated disk volumes by completing the following steps:

  1. Create a disk volume, or designate an existing disk volume, where the Web sites and applications will be stored.

  2. Configure the NTFS permissions on the root of the disk volume so that:

    • The Administrators group has full control.

    • All other permissions are removed.

  3. Create a folder, or designate an existing folder, on the dedicated disk volume to hold the subfolders that will contain the Web sites and applications.

  4. Beneath the folder that you created, or designated, in the previous step, create a subfolder for each Web site or application that will be installed on the Web server.

  5. Install the Web sites and applications in the subfolders that you created in the previous step.

At this step in the deployment process, only members of the Administrators group have access to the content. You will grant access to the users who will access the Web sites and applications in Setting NTFS Permissions later in this section.