The best reason is that directory traversal (unicode) attacks don't work. This is the method that CR used to put in the "backdoor". It moved cmd.exe from c:\winnt\system32 to c:\inetpub\wwwroot\scripts and renamed it to root.exe . This would not be possible if it were on a separate drive or partition since you cannot change drives only move up/down the dir structure. -----Original Message----- From: Daymon McCartney [mailto:[EMAIL PROTECTED]] Sent: Friday, November 02, 2001 12:37 AM To: [EMAIL PROTECTED] Subject: Location of web root
OK Everyone, I need some help! I'm trying to articulate the reasons why it's better to place the root of a website on a separate partition, or at least in a separate directory from the application which uses IIS as a front-end... An example Client/Server Software program installed at C:\Program Files\company\productname\ WWW Files can be installed to: 1. C:\InetPub\WWWRoot 2. C:\ProductNameWWW 3. C:\Program Files\company\ProductName\ProductWWW 4. C:\Program Files\company\ProductWWW 5. D:\ The website utilizes ADO, OLEDB (via MDAC 2.6 SP1) to connect to a SQL 7 database that is housed on another server. .ASP is the coding of choice along with some plain HTML. The machines will be patched up-to-date and plenty of other security measures will be taken! Personally I believe the safest location would be on D:\ (if there's nothing else on it). My next choice would be option #2, followed by #4. I don't like the idea of having the webroot be a subfolder of the actual server files (option 3), and I sure don't like it in the default C:\InetPub\WWWRoot. Even though I can remove all the default mappings & virtual directories from WWWRoot I still don't like the fact that some scriptkiddie script might rely on the existence of a folder called C:\Inetpub\WWWRoot. I know I've read different places in the past some examples of how Option 3 can be exploited. All of the options on C: could be a problem if a traversial exploit is used. The problem is I'm having problems searching for this scenario on the common search engines. I'm getting way too many false hits that don't address the issue at hand. I *do* understand that there's a lot more to hardening an IIS installation than the placement of the root folder. This is just one of the first things that popped into my head at a meeting we had, so I mentioned it. Unfortunately, everyone thinks I'm crazy and cannot see the impact that the placement of the root folder may have. What sort of concrete evidence is out there for me to use to support my case? ...Or am I just being too paranoid about the placement of the root folder?!?
