DOCUMENT:Q188806
TITLE   :NTFS Alternate Data Stream Name of a File May Return Source
PRODUCT :IIS | Peer Web Server | Personal Web Server
PROD/VER:1.0 2.0 3.0 4.0 | 2.0 3.0 | 4.0
OPER/SYS:WINDOWS NT
KEYWORD :prodiis4 prodiis3 prodiis2

--------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Internet Information Server versions 1.0, 2.0, 3.0, 4.0
 - Microsoft Peer Web Server versions 2.0, 3.0
 - Microsoft Personal Web Server version 4.0 on Windows NT 4.0 Workstation
--------------------------------------------------------------------------

SYMPTOMS
========

The native Windows NT file system, NTFS, supports multiple data streams
within a file. The main data stream, that which stores the main content, is
called DATA. Accessing this NTFS attribute directly from a browser may
display the script code for the file. For example, accessing
http://myserver/file.asp::$DATA may yield the contents of the file itself,
not the processed results of the file.

CAUSE
=====

The problem is caused by the way Internet Information Server (IIS) parses
file names. The fix involves IIS supporting NTFS alternate data streams by
asking Windows NT to canonicalize the filename.

NOTE: For the problem to occur, the file must reside on an NTFS partition,
and the user must both:

 - Know the name of the file.

   -and-

 - Have Read access to the file.

WORKAROUND
==========

If you cannot apply the available hotfix, you can use the following
workarounds to temporarily address this issue.

All IIS versions:

Normally, web users do not need Read access to script files, such as .ASP
files. They simply need Execute permissions. Removing Read access to
these files for non-administrative users will remove this exposure.

IIS 4.0 only:

Make the following additions to the Application Map in IIS 4.0 (this should
be done for all mappings):

1. Open the Microsoft Management Console (MMC).

2. Right-click the Virtual Server in question.

3. Click Properties on the shortcut menu.

4. On the Home Directory tab, select Configuration.

5. Now add each of the entries noted below to the list of application
   mappings. The entries should be entered into the Extension.

   Executable Path %System32%\Inetsrv\Asp.dll
   ------------------------------------------

      .asp::$DATA
      .asa::$DATA

   Executable Path %System32%\Inetsrv\Ssinc.dll
   --------------------------------------------

      .stm::$DATA
      .shtm::$DATA
      .shtml::$DATA

   Executable Path %System32%\Inetsrv\Httpodbc.dll
   -----------------------------------------------

      .idc::$DATA

   Executable Path %System32%\Webhits.dll
   --------------------------------------

      .htw::$DATA

   If you use Index Server, also include the following:

   Executable Path %System32%\Idq.dll
   ----------------------------------

      .idq::$DATA
      .ida::$DATA


   PERL
   ----

   If you use PERL, add the following entry, mapped to your PERL script
   interpreter:

      .pl::$DATA

General Security Practices:

In addition, the following practices can help to further improve security
for your IIS servers:

 - Periodically review the users and groups who have access to the web
   server. Review the users and groups and their permissions to ensure that
   only valid users have the appropriate permissions.

 - Use auditing to detect suspicious activity. Apply auditing controls on
   sensitive files and review these logs periodically to detect suspicious
   or unauthorized behavior.

 - Set Read and Execute permissions appropriately. ASP and other script
   files do not need to be readable by users that access them through IIS,
   rather they need to be executable. Thus, it is advisable to remove Read
   access from these files for normal users.

STATUS
======

Microsoft has confirmed this to be a problem in Internet Information Server
versions 1.0, 2.0, 3.0, and 4.0, Peer Web Server versions 2.0 and 3.0, and
Personal Web Server version 4.0 on Windows NT 4.0 Workstation.

A supported fix is now available for Internet Information Server 3.0 and
4.0, Peer Web Server 3.0 and Personal Web Server 4.0 on Microsoft Windows
NT 4.0 Workstation, but has not been fully regression-tested and should be
applied only to systems experiencing this specific problem. Unless you are
severely impacted by this specific problem, Microsoft recommends that you
wait for the next Service Pack that contains this fix. Contact Microsoft
Technical Support for more information.

IIS 4.0
-------

On July 17, 1998 Microsoft released an updated version of this hotfix.

This hotfix has been posted to the following Internet location:

   ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis4-datafix/

IIS 3.0
-------

This hotfix has been posted to the following Internet location:

   ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis3-datafix/

IIS 1.0, 2.0
------------

For all IIS 1.0, 2.0 and Peer Web Server 2.0 platforms, we strongly
recommend that you upgrade to a more recent version. If you cannot upgrade
to a more recent version, you can use the workarounds listed above to
temporarily address this issue.

MORE INFORMATION
================

For more information on this issue, see the following Microsoft Security
Bulletin:

   98-003: File Access issue with Internet Information Server
   http://www.microsoft.com/security/bulletins/ms98-003.htm

For more information on Alternate Data Streams, see the following article
in the Microsoft Knowledge Base:

   ARTICLE-ID: Q105763
   TITLE     : HOWTO: Use NTFS Alternate Data Streams

Additional query words: Peer Web Services filename filenames pws hot fix
qfe sp service pack
============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.