Do we need to install/move IIS related folders to a non-System drive?
It is not possible to install IIS on a non-system drive. Well “not possible” may be too restrictive, I would say it is not recommended or not supported to do so.
At CSS we see a lot of issues relating to the above topic. One needs to relocate (or even Install) the IIS related folder to other drive than system drive.
They say that it is a Security Vulnerability. This is the confusing part. What is this Vulnerability?
- The important point is how the web-application is configured and not where IIS is installed. None of the application will ever have access to the IIS related folders.
- Consider a scenario where you configure your application to run under the context of an administrator or Local System. If the application is compromised, then the entire server is compromised.
- Irrespective of where the application is installed, if it is not configured properly, then it is of now use where or how you install the web-app.
The recommended suggestion is to configure your application on a non-system drive, so that in case if there is a compromise, it doesn’t have access to system drive.
NOTE: W3WP.exe cannot access the IIS Installation folders or Data directories. You can restrict access to folders on the server via NTFS permissions.
It is neither supported nor recommended to delete or re-locate the original IIS directories. A support article has been issued to address this situation.
Here is the link: https://support.microsoft.com/kb/2752331
This contains the script that can be used to relocate the IIS data directories to a non-system drive keeping the original directories intact.
NOTE: Do not delete the original directories under “ %systemdrive%/inetpub”. Don’t even think of touching the INETSRV folder. The script in the above support article re-configures the folders to another non-system drive. During event of Windows Update, the original directories will be updated and not the re-configured ones. So, now you know why they should not be deleted. |