Re: CERT Advisory CA-98.04 - NT.WebServers

David LeBlanc (dleblanc@MINDSPRING.COM)
Fri, 06 Feb 1998 16:30:30 -0500

At 05:56 PM 2/6/98 -0500, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>CERT* Advisory CA-98.04
>Original issue date: Feb. 06, 1998
>Last revised: --
>
>Topic: Microsoft Windows-based Web Servers unauthorized access - long file
> names

>-
----------------------------------------------------------------------------
> B. Until you are able to install the appropriate patch, we recommend
the
> following workaround.
>
> (1) Use only 8.3-compliant short file names for the files that
> you want to have protected solely by the web server.
>
> (2) Use NTFS-based ACLs (directory or file level access control
> lists) to augment or replace web server-based security.
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There is another work-around, which is much less trouble and retains more
of the capabilities of your web site. If you are not using any 16-bit
applications, then you can turn off 8.3 filename generation. The method to
use would be to:

1) Open the registry editor [insert standard warnings about not nuking the
registry here].

2) Navigate to:

Registry path:

HKEY_LOCAL_MACHINE\System
\CurrentControlSet
\Control
\FileSystem

3) Create a value named: NtfsDisable8dot3NameCreation, type REG_DWORD, and
set it to 1.

4) Reboot your system. It will no longer create new 8.3 filenames.

5) Use scopy (to preserve your permissions) to copy your web site to
another part of the drive. Once you have verified it is correctly copied,
erase the existing files, and copy it back. The new files and directories
will not contain a 8.3 filename, and will not be available to this exploit.

David LeBlanc |Why would you want to have your desktop user,
dleblanc@mindspring.com |your mere mortals, messing around with a 32-bit
|minicomputer-class computing environment?
|Scott McNealy