IIS Parent Paths

Issue

If ASPEnableParentPaths is enabled and the parent directories have execute access, a script could run an unauthorized program in a parent directory.

Solution

Disable the ASPEnableParentPaths option on Internet Information Services (IIS).

Instructions

To disable the ASPEnableParentPaths option in Windows XP Professional

  1. Click Start, point to Programs, then Administrative Tools, then click Internet Information Services.
  2. In the Internet Information Services Manager, right-click the root of the Web site that you want to secure, and then click Properties.
  3. In the Default Web Site Properties dialog box, click the Home Directory tab, and then click Configuration.
  4. In the Application Configuration dialog box, click the Options tab, and then clear the Enable parent paths check box.

To disable the ASPEnableParentPaths option in Windows 2000

  1. Click Start, point to Programs, then Administrative Tools, then click Internet Services Manager.
  2. In the Internet Information Services Manager, right-click the root of the Web site that you want to secure, and then click Properties.
  3. In the Default Web Site Properties dialog box, click the Home Directory tab, and then click Configuration.
  4. In the Application Configuration dialog box, click the App Options tab, and then clear the Enable parent paths check box.

To disable the ASPEnableParentPaths option in Windows NT

  1. Click Start, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Service Manager.
  2. In the Internet Information Services Manager, right-click the root of the Web site that you want to secure, and then click Properties.
  3. In the Default Web Site Properties dialog box, click the Home Directory tab, and then click Configuration.
  4. In the Application Configuration dialog box, click the App Options tab, and then clear the Enable parent paths check box.

If you are running Microsoft Small Business Server 2000

  1. Follow the steps above for Windows 2000.

  2. Click OK. The Inheritance Overrides dialog box appears.
    NOTE:  The following three nodes should be listed in the Child Nodes section: (Public, Exchange, and Exadmin).  If none of these child nodes are listed, run the IIS Lockdown tool, and then re-run the Microsoft Baseline Security Analyzer.

  3. Click OK to close the Inheritance Overrides dialog box.

  4. Click OK to close the Web Site Properties dialog box.

Important:  If done incorrectly, Exchange (specifically Outlook Web Access) will no longer function. If this occurs, run the IIS Lockdown tool again and after verifying the three child nodes in the above steps appear in the Inheritance Overrides dialog box, click OK to accept these settings.

Additional Information

AspEnableParentPaths MetaBase Property Should Be Set To False (Q184717)

© 2002 Microsoft Corporation. All rights reserved.