Do we need to install/move IIS related folders to a non-System drive?


It is not possible to install IIS on a non-system drive. Well “not possible” may be too restrictive, I would say it is not recommended or not supported to do so.

At CSS we see a lot of issues relating to the above topic. One needs to relocate (or even Install) the IIS related folder to other drive than system drive.

They say that it is a Security Vulnerability. This is the confusing part. What is this Vulnerability?

  • The important point is how the web-application is configured and not where IIS is installed. None of the application will ever have access to the IIS related folders.
  • Consider a scenario where you configure your application to run under the context of an administrator or Local System. If the application is compromised, then the entire server is compromised.
  • Irrespective of where the application is installed, if it is not configured properly, then it is of now use where or how you install the web-app.

The recommended suggestion is to configure your application on a non-system drive, so that in case if there is a compromise, it doesn’t have access to system drive.

NOTE: W3WP.exe cannot access the IIS Installation folders or Data directories. You can restrict access to folders on the server via NTFS permissions.

It is neither supported nor recommended to delete or re-locate the original IIS directories. A support article has been issued to address this situation.

Here is the link: http://support.microsoft.com/kb/2752331 

This contains the script that can be used to relocate the IIS data directories to a non-system drive keeping the original directories intact.

NOTE: Do not delete the original directories under “%systemdrive%/inetpub”. Don’t even think of touching the INETSRV folder. The script in the above support article re-configures the folders to another non-system drive. During event of Windows Update, the original directories will be updated and not the re-configured ones. So, now you know why they should not be deleted.


Comments (5)

  1. Srikanth Kammadanam says:

    Good Article.

  2. Alejandro Gamboa says:

    Technet says the exact opposite in technet.microsoft.com/…/jj635855.aspx for IIS 8.0 best practices under the Installation and configuration heading.

  3. Alejandro, I dunno what confusd you. But this is what TechNet reads:

    "Move the Inetpub folder from your system drive to a different drive.

    By default IIS 8 sets up the Inetpub folder on your system drive (usually the C drive). If you move the folder to a different partition, you can save space on your system drive and improve security. For information about how to the Inetpub folder, see the following blog post: Moving the INETPUB directory to a different drive."

    This content hyperlinks to this blog then: blogs.iis.net/…/moving-the-iis7-inetpub-directory-to-a-different-drive.aspx

    He clearly mentions in bloghighlighted in red on not deleting the inetpub folder:

    Below is the snippet form the above blog link:

    "PLEASE BE AWARE OF THE FOLLOWING:

    WINDOWS SERVICING EVENTS (I.E. HOTFIXES AND SERVICE PACKS) WOULD STILL REPLACE FILES IN THE ORIGINAL DIRECTORIES. THE LIKELIHOOD THAT FILES IN THE INETPUB DIRECTORIES HAVE

    TO BE REPLACED BY SERVICING IS LOW BUT FOR THIS REASON DELETING THE ORIGINAL DIRECTORIES IS NOT POSSIBLE. "

  4. David says:

    I think what Alejandro is saying is that you are saying along with that KB article that it isnt best practice to move the folder, yet in the security best practice article also provided by microsoft it says you should move it. Not that deleting it isnt bad.

    I think Microsoft need to give definitive answer, remove the conflicting information.

  5. I see what you are trying to say. I think it should be more clearer. I would recommend having a copy of inetpub on another drive and not delete the original drive.