Settings May Not Be Applied with URL with Short Filename --------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server version 4.0 - Microsoft Personal Web Server version 4.0 on Microsoft Windows NT Workstation version 4.0 --------------------------------------------------------------------------- SYMPTOMS ======== Microsoft has been made aware of an issue in Internet Information Server (IIS) 4.0 and Personal Web Server (PWS) 4.0 in which certain configuration settings may not be applied when a URL with short file name equivalents is requested. These configuration setting include restricting access by IP address, PICS ratings, and requiring SSL encryption. Windows NT file permissions (ACLs) are not affected. Users are able to access certain directories or files through IIS 4.0 or PWS 4.0 and bypass specific security settings such as SSL encryption. CAUSE ===== The Windows NT and Windows 95 file systems (FAT, FAT32, and NTFS) support file names of up to 255 characters. To maintain compatibility with older, non 32-bit applications, a short file name (called the 8.3 file name) is created for each file. This short file name equivalent is used by older applications to access directories and files with long names. IIS 4.0 and PWS 4.0 maintain certain configuration information about directories and files in a database called the metabase. The metabase does not contain file permissions, but rather Web server-specific information such as requiring SSL encryption, proxy cache setting, and PICS ratings. Actual file and directory permissions are enforced by NTFS and are not affected by this problem. In certain cases when a URL is requested using the short file name, it is possible that configuration properties specified in the metabase may not be applied as expected. This issue only occurs where long file names are used for directories or files, and specific metabase configuration properties are set on those directories or files. File permissions by a user or group using NTFS access control lists (ACL) are not affected. STATUS ====== NOTE: The supported fix is for IIS and PWS on Windows NT Workstation. A fix for PWS on Microsoft Windows 95 is still pending. Microsoft has confirmed this to be a problem in Microsoft Internet Information Server version 4.0 and Personal Web Server version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. The fix is available at the following location: ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/sfn-fix Please contact Microsoft Technical Support for more information.