FIX: ": $DATA" Data Stream name of a file may return the script code for the file (188806)


The information in this article applies to:

  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Internet Information Server 4.0
  • Microsoft Peer Web Server 4.0 for Windows NT 4.0
  • Microsoft Personal Web Server 4.0 for NT Workstation version 4.0
This article was previously published under Q188806
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SYMPTOMS

The NTFS file system supports multiple data streams in a file. The main data stream is named DATA. The main data stream stores the main content. When you access the NTFS attribute directly from a browser, you may see the script code for the file.

CAUSE

The problem occurs because of the way that Microsoft Internet Information Server (IIS) parses file names. The hotfix involves IIS supporting NTFS Alternate Data Streams by making Microsoft Windows NT canonicalize the file name.

Note For the problem to occur, all the following conditions must be true:
  • The file must reside on an NTFS partition.
  • You must know the name of the file.
  • You must have Read access to the file.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

WORKAROUND

Note The hotfix for a bug in W3 and in FTP Performance Monitor also fixes the problem that is described in this article. If you plan to use Performance Monitor, see the following article in the Microsoft Knowledge Base:

185349 Problems remotely accessing W3 or FTP Perfmon counters

If you cannot apply the available hotfix, you can use the following workarounds to temporarily address this issue.

IIS

Typically, Web users do not have to have Read permissions to script files, such as .asp files. Web users only have to have Execute permissions. Removing Read permissions to these files for non-administrative users addresses this exposure.

Make the following additions to the Application Map in IIS 4.0. You must do this for all mappings.
  1. Open the Microsoft Management Console (MMC).
  2. Right-click the virtual server in question.
  3. Click Properties.
  4. On the Home Directory tab, click Configuration.
  5. Add each entries that follows to the list of application mappings. The entries must be entered in the file name extension.

    Executable Path %System32%\Inetsrv\Asp.dll
          .asp::$DATA
      .asa::$DATA
    Executable Path %System32%\Inetsrv\Ssinc.dll
          .stm::$DATA
      .shtm::$DATA
      .shtml::$DATA
    Executable Path %System32%\Inetsrv\Httpodbc.dll
          .idc::$DATA
    Executable Path %System32%\Webhits.dll 
          .htw::$DATA
    If you use Index Server, also include the following:

    Executable Path %System32%\Idq.dll
          .idq::$DATA
      .ida::$DATA
    PERL

    If you use PERL, add the following entry. Make sure that the following entry is mapped to your PERL script interpreter:
          .pl::$DATA

General security practices

Additionally, the following practices may help enhance security for your servers that are running IIS:
  • Periodically review the users and the groups who have access to the Web server. Review the users and the groups and their permissions to make sure that only valid users have the appropriate permissions.
  • Use auditing to detect suspicious activity. Apply auditing controls to sensitive log files and then review these log files periodically to detect suspicious behavior or unauthorized behavior.
  • Set Read permissions and Execute permissions appropriately. ASP files and other script files do not have to be readable by users who access ASP files and other script files through IIS. Instead, ASP files and other script files have to be executable. Therefore, remove Read permissions from these files for typical users.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

MORE INFORMATION

For more information about this problem, see the following "File access issue with Windows NT Internet Information Server (IIS)" Microsoft Security Bulletin:

http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx

For more information about NTFS Alternate Data Streams, click the following article number to view the article in the Microsoft Knowledge Base:

105763 How to use NTFS alternate data streams

Modification Type:MinorLast Reviewed:7/3/2006
Keywords:kbHotfixServer kbbug kbfix kbQFE KB188806 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.