Skip navigation
Menu
Security

Relocating Your IIS Default Installation Folders

Downloads
25987.zip

How to change the default paths and folder names for IIS

Since the introduction of Windows 2000, I've missed a feature that I used in the Windows NT 4.0 Option Pack to manage services and prevent Web server attacks: the ability to change the default paths and folder names for IIS 5.0. Rather than offering IIS as a separate program, the Option Pack included IIS 4.0 as part of the installation options. Administrators could easily designate the path for the default folders and files associated with each IIS service, segment FTP servers to separate drives, and move Network News Transfer Protocol (NNTP) and SMTP folders to large drives to accommodate file proliferation. In particular, I appreciated the ability to change the name of the default paths to guard against attackers.

But the Win2K installation process uses a default path for the IIS files (the INETPUB folder on the system drive), and you can't change the path during setup by using the Win2K installation CD-ROM. Administrators need to be aware that most major server manufacturers use an installation process that installs IIS by using the default paths, which attackers can easily exploit. Last year, my company saw hundreds of attacks against our servers each day; intruders looked for files in the default locations. We discovered that you can change the default paths for IIS in one of two ways: You can change the default paths for IIS after installation or change the path during installation. I describe both methods in this article and discuss how to avoid a few stumbling blocks.

Changing Default IIS Paths After Installation
To change the default paths of IIS after installation, you can use VBScript to move the folders to a new location and modify the metabase so that IIS recognizes the new paths for the files. The script in Web Listing 1 (http://www.windowswebsolutions.com, InstantDoc ID 25987—which I found in a Microsoft article that no longer exists on the Microsoft site), provides a sample script you can use to relocate the Web and FTP folders. However, the article doesn't explain how to move the SMTP or NNTP folders. In addition, the script has some aspects that administrators need to consider before executing it. The script

  • doesn't include the parameters for moving the NNTP folders if they're installed.
  • assumes that the machine that has a D drive includes the folders on the SMTP site, so if the SMTP service isn't installed, you need to comment out these lines before running the script.
  • assumes that IIS is already installed on the system and in the default locations.
  • uses the adsutil.vbs file and expects to locate the file in the C:\inetpub\adminscripts folder.
  • copies the files instead of moving them, leaving the files in the old locations on the system.

Despite these catches, the default script does significant error checking and can work well for systems on which IIS is already installed. The script also relocates the Index Service catalogs at the same time it changes the IIS file locations. Another plus is that you don't need to stop the services for IIS or Index Server because the script stops the services and restarts them when finished. You can easily walk around the script's glitches by editing the script, either modifying lines or commenting them out.

To use the script, save the file with a name such as autoweb.vbs (or choose another name, but be sure to use the .vbs extension), as Web Listing 1 shows. To comment out a line, place an apostrophe ( ' ) at the beginning of the line, which will cause the script engine to ignore the line information and continue processing. To modify the path, use Notepad or another text editor to search the file for INETPUB and replace the path with the top-level folder you choose for the location of the IIS files.

You need to modify the default script to move the NNTP folders and files. Because the script doesn't include the parameters for the NNTP folders and files, adding this information for the service will cause the script to fail if the NNTP service isn't present. However, the script will work if the NNTP parameters aren't present in the script but the service is present. To modify the default script, download the autoweb file, follow these steps as you edit the file in a text editor, or download Web Listing 2 and edit the script in a text editor.

  1. Change the line DIM PARAMS (7) to DIM PARAMS (21). This step modifies the variables within the script.
  2. Change the line DIM PARAMS2 (3) to DIM PARAMS2 (4)
  3. On the next line down from the line that begins with "Params (7) =", add the lines that Web Listing 2 shows.
  4. Add

    Params2 (4) = "nntpsvc"

    on the next line below Params2 (3) ="w3csvc".

The example provided changes the script to add the NNTP folders to the list of folders you want to modify. If the NNTP service isn't installed, you don't need to add these files to the script; the same is true for the SMTP service changes. In the final copy of the script, I added the lines the script needs for moving the folders and files to either the D or E drive. The last change lets the NNTP service restart along with the other services. The script also includes the necessary paths and files for both the SMTP and NNTP services as well as the Web and FTP services.

I've run this script in test environments and on systems to be placed into production, and I've found it accomplishes the task of moving folders to the new location. However, note the following warnings about using this script. First, ensure that Microsoft Management Console (MMC) isn't running when you execute the script, because if the MMC component is running, the script won't run, and you might have to manually restart any IIS service and retry the script. Second, note that although the script stops and restarts the services, you need to restart the services again after running the script to effect the changes.

In addition, note that this script doesn't change the location of other default sites, nor does the script move virtual directories. As with any new procedures or system changes, test the changes thoroughly in a test environment before making changes to a production system.

Changing Paths During Installation
You now have a script for changing the default paths after the IIS installation, but how do you change the paths during installation? The answer is in the unattend.txt file (the answer file) that Windows uses to automate OS installations. For IIS, only a few settings are available, but these settings let you modify some key folders.

During my research, I found several articles stating that setting either the SMTP or NNTP folders through the answer file for an unattended installation wasn't possible. This limitation isn't a problem in my environment because we don't usually add the SMTP service to Web servers or FTP servers. However, I discovered at a client's site that after I installed IIS, the SMTP and NNTP folders were under the path I designated for the Web and FTP sites.

You can also change the default path of IIS folders by using Remote Installation Services (RIS) with either a Boot Disk or a system that has Bootstrap Protocol (BOOTP) features, with an answer file (unattend.txt) that gives Windows Setup the necessary information to incorporate the changes in the OS installation. (BOOTP is a TCP/IP protocol used to enable a diskless workstation to find its own logical IP address at startup.)

Win2K includes the sysocmgr.exe utility to help you script or automate the installation of additional Windows components after OS installation. Using the information in the Microsoft articles "How to Add or Remove Windows Components with Sysocmgr.exe" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q222444) and "How to Change the Default Installation Paths for FTP and the Web" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q259671), you can create a batch file and an answer file that will install IIS in the location you choose.

The answer file is a text document that contains certain parameters necessary for the application (sysocmgr.exe) to determine which components to install and in which locations. In researching moving the SMTP and NNTP folders, I found only a few parameters in the Win2K answer file that pertain to IIS. The answer file, iis.txt, consists of two sections. The answer file defines each of the sections by the title in square brackets. Within that section are the parameters that pertain to the IIS services setup. The first section, Components, tells the Windows Setup application sysocmgr which components to install. The second section, InternetServer, lets you specify a path for the FTP service, the Web service, and Microsoft Message Queue (MSMQ). The semicolons on each line denote comments on the settings. I've used comments on each line to explain what each parameter references. Note that you should change the answer file to match the name under which you saved the file.

To create the answer file, paste the information that Web Listing 2 shows into a new text document and save the file as iis.txt or another name you choose. Each of the components has only two options—on or off. You use this information in scripts to install the various components. The example file sets the installation to include SMTP, NNTP, HTML Administration, Documentation, Microsoft Transaction Server (MTS) Core Components, Index Server, and the FrontPage 2000 Server Extensions, but excludes the Personal Web Manager application, which is a workstation management console for a local Web server. Change the settings to suit your needs. In the answer file, there are actually two lines for the FrontPage Extensions that appeared in different TechNet articles. If the FrontPage Extensions fail to install correctly, use a semicolon to comment out the FP_Extensions, and uncomment the FP entry by removing the semicolon and run the file again. You use the file in conjunction with the following command:

sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\temp\iis.txt

The command components are:

  • /i:<path to Sysoc.inf file>, where <path to Sysoc.inf file> is the full path to the Sysoc.inf file; for example: C:\windows\inf\sysoc.inf
  • /u:<path to answer file>, where <path to answer file> is the full path to the answer file that contains a list of items to add or remove
  • /q - runs Sysocmgr.exe in quiet mode (without display pages)
  • /r - suppresses reboot (if needed)

This example enables the installation of the common files for IIS, the IIS debugging tools, the FTP server, the Web administrator site (HTML), the MMC files, the SMTP server, the Web server, MTS, and Index Server. In the first section, two entries relate to FrontPage 2000 Server Extensions, and one is commented out. I haven't been able to determine which entry is correct or whether they represent different components of the application. In the second section, I designated the paths for the FTP server and the Web server, but commented out the path information for the MSMQ service.

For this example to function correctly, the IIS servers must not be currently installed. To use this example, paste the Sysocmgr command into a new text document and save the file as moveiis.bat. Place the moveiis.bat and iis.txt files in a temporary folder, then execute the batch file moveiis.bat, which starts the Windows component installation and installs the components selected within the answer file.

After the installation is complete, the Web and FTP folders are in the location I chose for my environment. The advantage to making a few changes is that I can quickly adjust a new installation to suit my needs. If modifying the metabase seems too extreme, you can uninstall the IIS services from the Add/Remove Software Wizard, then reinstall IIS by using the answer file and the batch file to specify the location of choice. I found that by using the batch file, the SMTP services were in the same location as the FTP and Web services.

For our organization and the clients who use our services, the ability to change the default path of IIS folders is a crucial piece of our security model. We use these path changes with other settings to increase the security on our systems. Changing the file locations adds a barrier.

In addition, changing the default paths for IIS folders benefits ISPs that use Win2K servers for hosting Web sites or user sites. Unless Microsoft adds to Win2K the ability to change the IIS installation path through the setup program, you need to use VBScript or perform special installations to relocate the default folders.

TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024