-------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server versions 2.0, 3.0, 4.0 -------------------------------------------------------------------------- SYMPTOMS ======== The native Windows NT file system, NTFS, supports multiple data streams within a file. The main data stream, that which stores the main content, is called DATA. Accessing this NTFS attribute directly from a browser may display the script code for the file. For example, accessing http://myserver/file.asp::$DATA may yield the contents of the file itself, not the processed results of the file. CAUSE ===== The problem is caused by the way Internet Information Server (IIS) parses file names. The fix involves IIS supporting NTFS alternate data streams by asking Windows NT to canonicalize the filename. NOTE: For the problem to occur, the file must reside on an NTFS partition, and the user must: - Know the name of the file. -and- - Have read and execute access to the file. WORKAROUND ========== If you cannot apply the hotfix, you can use the following workaround to temporarily address this issue. Make the following additions to the Application Map in IIS 4.0 (this should be done for all mappings): 1. Open the Microsoft Management Console (MMC). 2. Right-click the Virtual Server in question. 3. Click Properties on the shortcut menu. 4. On the Home Directory tab, select Configuration. 5. Now add each of the entries noted below to the list of application mappings. The entries should be entered into the Extension. Executable Path %System32%\Inetsrv\Asp.dll ------------------------------------------ .asp::$DATA .asa::$DATA Executable Path %System32%\Inetsrv\Ssinc.dll -------------------------------------------- .stm::$DATA .shtm::$DATA .shtml::$DATA Executable Path %System32%\Inetsrv\Httpodbc.dll ----------------------------------------------- .idc::$DATA Executable Path %System32%\Webhits.dll -------------------------------------- .htw::$DATA If you use Index Server, also include the following: Executable Path %System32%\Idq.dll ---------------------------------- .idq::$DATA .ida::$DATA If you use PERL, add the following entry, mapped to your PERL script interpreter: .pl::$DATA In addition, the following practices can help to further improve security for your IIS servers: - Periodically review the users and groups who have access to the web server. Review the users and groups and their permissions to ensure that only valid users have the appropriate permissions. - Use auditing to detect suspicious activity. Apply auditing controls on sensitive files and review these logs periodically to detect suspicious or unauthorized behavior. STATUS ====== Microsoft has confirmed this to be a problem in Internet Information Server versions 2.0, 3.0, and 4.0. A supported fix is now available, but has not been fully regression- tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information. For IIS 3.0 on Intel platforms, the hotfix is located at ftp.microsoft.com/bussys/iis/iis-public/fixes/kor/security/iis3-datafix/iis3fixi.exe For IIS 3.0 on Alpha platforms, the hotfix is located at ftp.microsoft.com/bussys/iis/iis-public/fixes/kor/security/iis3-datafix/iis3fixa.exe For IIS 4.0 on Intel platforms, the hotfix is located at ftp.microsoft.com/bussys/iis/iis-public/fixes/kor/security/iis4-datafix/iis4fixi.exe For IIS 4.0 on Alpha platforms, the hotfix is located at ftp.microsoft.com/bussys/iis/iis-public/fixes/kor/security/iis4-datafix/iis4fixa.exe MORE INFORMATION ================ For more information on Alternate Data Streams, see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q105763 TITLE : HOWTO: Use NTFS Alternate Data Streams