IIS Parent Paths

Issue

If ASPEnableParentPaths is enabled and the parent directories have execute access, a script could run an unauthorized program in a parent directory.

Solution

Disable the ASPEnableParentPaths option on Internet Information Services (IIS).

Instructions

To disable the ASPEnableParentPaths option in Windows XP Professional

Click Start, point to Programs, then Administrative Tools, then click Internet Information Services.
In the Internet Information Services Manager, right-click the root of the Web site that you want to secure, and then click Properties.
In the Default Web Site Properties dialog box, click the Home Directory tab, and then click Configuration.
In the Application Configuration dialog box, click the Options tab, and then clear the Enable parent paths check box.

To disable the ASPEnableParentPaths option in Windows 2000

Click Start, point to Programs, then Administrative Tools, then click Internet Services Manager.
In the Internet Information Services Manager, right-click the root of the Web site that you want to secure, and then click Properties.
In the Default Web Site Properties dialog box, click the Home Directory tab, and then click Configuration.
In the Application Configuration dialog box, click the App Options tab, and then clear the Enable parent paths check box.

To disable the ASPEnableParentPaths option in Windows NT

Click Start, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Service Manager.
In the Internet Information Services Manager, right-click the root of the Web site that you want to secure, and then click Properties.
In the Default Web Site Properties dialog box, click the Home Directory tab, and then click Configuration.
In the Application Configuration dialog box, click the App Options tab, and then clear the Enable parent paths check box.

Additional Information

AspEnableParentPaths MetaBase Property Should Be Set To False (Q184717)