COMMAND

    Web Servers like IIS 4.0, Netscape Enterprise 3.0x, Netscape
    Fasttrack 3.01 (2.x?) and Website Pro

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Greg Skafte posted following about nifty security hole on  several
    NT based web servers.   If you protect a  file that is not  8.3 in
    its  makeup  you  can  often  access  the  canonical  name without
    restriction.  Example follows.  If a file named "somelongfile.htm"
    and you protect it then you can access somef~1.htm if  somel~1.htm
    is the  canonical name.  (don't recall  the corect  NT term). This
    also applies to directory names as well.

SOLUTION

    The fix for IIS 4.0 is out and is at:

        ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/sfn-fix/

    As a quick fix try open the policy editor:

        / local computer / win nt system / file system

    and check the box near

        'do not create 8.3 file names for long file names'

    and don't check the box

        'allow extended characters in 8.3 file names'

    If you don't want to mess with the policy editor:

        HKLM\system\currentcontrolset\control\filesystem
        NtfsDisable8Dot3NameCreation: REG_DWORD: 1
        Win31FileSystem: REG_DWORD: 0
        Win95TruncatedExtension: REG_DWORD: 0

    Turning this on (and then  rebooting the machine) will prevent  NT
    from creating the  short names in  question here.   Note, however,
    that this will not remove them from files that already exist.   So
    if  you  want  to  use  this  as  a workaround, set the parameter,
    reboot, rename  the web  root directory,  and then  copy the files
    back (or something along those  lines).  Also, be aware  that this
    registry parameter may cause very mysterious problems months  down
    the  road.   When   these  short  names   are  not  present,   the
    GetShortPathName() Api will fail.  Any application that relies  on
    that Api might start complaining that files and directories  don't
    exist, when in fact they actually do.