0

I'm mostly a developer that also has to manage servers (I did earn my MCSE back in 2006 at least) so please be gentle.

I have a web server that is Windows 2019 Standard, has been running for just over a year and I do vulnerability scans quarterly(ish). This last scan showed up with "Microsoft IIS Tilde Character Information Disclosure Vulnerability."

The scan report included a link to here:

https://techcommunity.microsoft.com/t5/iis-support-blog/iis-short-name-enumeration/ba-p/3951320

which had me flip a bit in the registry. I probably shouldn't have just jumped in and did that, but I did.

I rebooted and re-scanned but it's still there, so on further research I found this link:

Fixing the IIS tilde vulnerability

I ran the "fsutil 8dot3name scan /s /v E:\inetpub\wwwroot" command and it resulted in a LOT of files... I see the next step is to run the strip command but... I'm scared.

Am I in danger?

msimmons
  • 1

1 Answers1

0

This really depends on if you have code or configuration that uses existing 8.3 paths, for whatever reason. There shouldn't be, and not creating 8.3 files is a good start but I'm inclined to think there isn't anything to prevent using existing short names.

A good backup would be the contingency. Assessing this for mitigation is probably elusive. Perhaps you could try running ProcMon and filtering for only file paths that have a tilde and begin with the IIS root path. ProcMon isn't designed to run for extended periods so I would only run it for 30 minutes or less at a time and don't use the pagefile for a backing store.

Greg Askew
  • 39,132