Microsoft KB Archive/188806

= FIX: ": $DATA" Data Stream name of a file may return the script code for the file =

Article ID: 188806

Article Last Modified on 7/3/2006

-

APPLIES TO


 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Internet Information Server 4.0
 * Microsoft Peer Web Services 3.0
 * Microsoft Personal Web Server 4.0

-



This article was previously published under Q188806



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
The NTFS file system supports multiple data streams in a file. The main data stream is named DATA. The main data stream stores the main content. When you access the NTFS attribute directly from a browser, you may see the script code for the file.



CAUSE
The problem occurs because of the way that Microsoft Internet Information Server (IIS) parses file names. The hotfix involves IIS supporting NTFS Alternate Data Streams by making Microsoft Windows NT canonicalize the file name.

Note For the problem to occur, all the following conditions must be true:
 * The file must reside on an NTFS partition.
 * You must know the name of the file.
 * You must have Read access to the file.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack



WORKAROUND
Note The hotfix for a bug in W3 and in FTP Performance Monitor also fixes the problem that is described in this article. If you plan to use Performance Monitor, see the following article in the Microsoft Knowledge Base:

185349 Problems remotely accessing W3 or FTP Perfmon counters

If you cannot apply the available hotfix, you can use the following workarounds to temporarily address this issue.

IIS
Typically, Web users do not have to have Read permissions to script files, such as .asp files. Web users only have to have Execute permissions. Removing Read permissions to these files for non-administrative users addresses this exposure.

Make the following additions to the Application Map in IIS 4.0. You must do this for all mappings.  Open the Microsoft Management Console (MMC). Right-click the virtual server in question. Click Properties. On the Home Directory tab, click Configuration.  Add each entries that follows to the list of application mappings. The entries must be entered in the file name extension.

Executable Path %System32%\Inetsrv\Asp.dll .asp::$DATA .asa::$DATA

Executable Path %System32%\Inetsrv\Ssinc.dll .stm::$DATA .shtm::$DATA .shtml::$DATA

Executable Path %System32%\Inetsrv\Httpodbc.dll .idc::$DATA

Executable Path %System32%\Webhits.dll .htw::$DATA

If you use Index Server, also include the following:

Executable Path %System32%\Idq.dll .idq::$DATA .ida::$DATA

PERL

If you use PERL, add the following entry. Make sure that the following entry is mapped to your PERL script interpreter: .pl::$DATA

</li></ol>

General security practices
Additionally, the following practices may help enhance security for your servers that are running IIS:
 * Periodically review the users and the groups who have access to the Web server. Review the users and the groups and their permissions to make sure that only valid users have the appropriate permissions.
 * Use auditing to detect suspicious activity. Apply auditing controls to sensitive log files and then review these log files periodically to detect suspicious behavior or unauthorized behavior.
 * Set Read permissions and Execute permissions appropriately. ASP files and other script files do not have to be readable by users who access ASP files and other script files through IIS. Instead, ASP files and other script files have to be executable. Therefore, remove Read permissions from these files for typical users.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this problem, see the following "File access issue with Windows NT Internet Information Server (IIS)" Microsoft Security Bulletin:

http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx

For more information about NTFS Alternate Data Streams, click the following article number to view the article in the Microsoft Knowledge Base:

105763 How to use NTFS alternate data streams

Additional query words: Peer Web Services filename filenames pws hot fix qfe sp service pack

Keywords: kbbug kbfix kbqfe kbhotfixserver KB188806

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.