We often mention inetpub in the process of explaining different development processes and tricks, such as in this post on how to view IIS logs on Windows and Azure. Because it’s important to understand how the inetpub folder works, the advantages of doing your development work there, and how to avoid potential vulnerabilities, we thought we’d take a closer look at inetpub as a stand-alone topic.
Definition of Inetpub
Inetpub is the folder on a computer that is the default folder for Microsoft Internet Information Services (IIS). The website content and web apps are stored in the inetpub folder — which keeps it organized and secure. IIS also allows more than one domain to be served from one inetpub folder.
How the Inetpub Folder Works
The inetpub folder is in the C drive (C:\inetpub) and has five subfolders:
- The \inetpub\adminscripts subfolder of the inetpub folder is home to administration scripts that allow you to automate server administration tasks and remotely administer the website served from the inetpub folder.
- The \inetpub\iissamples subfolder of the inetpub folder has sample applications that allow developers learn about how the website and web apps work. The content is for demonstration purposes only. Using any of the sample sites on a working IIS web server puts the computer at risk.
- The \inetpub\mailroot subfolder of the inetpub folder and its associated subfolders are used for processing SMTP service for mail.
- The \inetpub\scripts subfolder of the inetpub folder contains web applications that add functionality to the website.
- The \inetpub\wwwroot subfolder of the inetpub folder contains all the web pages and content that will be published on the web. It is the default directory for publishing web pages.
Websites can be created using the IIS Manager. Mostly, IIS serves static content — the same HTML is served to every user. But IIS 8.5 with serve dynamic content — generated by web applications.
Benefits of Developing a Site in the Inetpub Folder
The IIS web server allows developers to serve a website from anywhere on the computer. By keeping the website in the inetpub subfolders, the files only have the appropriate access, and the website can be secured properly.
As with many Windows products, there is an active developer community that loves to hate IIS as a web server. They tend to use Apache — an open source web server.
But developers who use IIS believe it’s easier than using Apache to start and set up a website. Then developers tend to stick with what they know after learning how to build and manage websites on IIS.
And because IIS is a Microsoft product, Microsoft is willing to put a lot of resources into developing the IIS web server, securing the host computer and offering support to troubleshoot problems. There also is a sizable community of developers helping each other work through any issues.
Developers and third-party vendors also have a broad range of products to augment and protect IIS web servers.
Ways to Prevent Inetpub Vulnerabilities
IIS allows any Windows computer — including PCs — to serve web pages from the inetpub folder. Unfortunately, this makes the computer vulnerable to attacks such as:
- SSI Buffer overrun privilege elevation
- Unicode .asp source code disclosure
- Microsoft index server buffer overflow
- File fragment disclosure
- Web server file request parsing
- Web server folder traversal
- HTTP protocol stack vulnerability
Some basic measures can help mitigate the risk of an attack through the inetpub folders compromising a computer.
- Delete the iissamples subfolder of the inetpub folder. The sample web apps and sites are instructional and have well-known vulnerabilities. The subfolder contains sample websites that production servers should never use.
- Restrict access and NTFS permissions to the files in the inetpub folder. These permissions allow websites to serve information to the public. But if the subfolders and files in the inetpub folder aren’t properly restricted, the whole computer is vulnerable — not just web files. A Microsoft article describes the permissions and user rights needed in the inetpub folder.
- Move the website to another volume. It is common knowledge that the default folder for IIS websites is found in the C:\inetpub\wwwroot. This increases the risk for breaches such as directory traversal attacks. Microsoft recommends moving the website directory to the D: drive.
- Uninstall any printers on the computer. Because desktop computers can become web servers thanks to IIS, that computer may be connected to a printer. Printer drivers can be compromised.
- Turn off IIS if the computer does not need to be a web server. IIS is turned off by default. But if someone turns it on by accident or changes their mind after attempting to develop a website on a local computer, it can be turned off.
- Click on Programs and Features in the control panel.
- Click on “Turn Windows features on or off” )(top left side)
- Scroll down and uncheck “Internet Information Services.”
- Restart the computer.
Where to Find Inetpub Support: Tutorials and Resources
- Microsoft IIS Forums
- Internet Information Services Subreddit
- IIS questions on StackOverflow
- Setting up a web site on local machine using IIS
- Serving New Content – Microsoft
- What Is Inetpub