Since the introduction of Windows 2000, I've missed a feature that I used in the Windows NT 4.0 Option Pack to manage services and prevent Web server attacks: the ability to change the default paths and folder names for IIS 5.0. Rather than offering IIS as a separate program, the Option Pack included IIS 4.0 as part of the installation options. Administrators could easily designate the path for the default folders and files associated with each IIS service, segment FTP servers to separate drives, and move Network News Transfer Protocol (NNTP) and SMTP folders to large drives to accommodate file proliferation. In particular, I appreciated the ability to change the name of the default paths to guard against attackers.

But the Win2K installation process uses a default path for the IIS files (the INETPUB folder on the system drive), and you can't change the path during setup by using the Win2K installation CD-ROM. Administrators need to be aware that most major server manufacturers use an installation process that installs IIS by using the default paths, which attackers can easily exploit. Last year, my company saw hundreds of attacks against our servers each day; intruders looked for files in the default locations. We discovered that you can change the default paths for IIS in one of two ways: You can change the default paths for IIS after installation or change the path during installation. I describe both methods in this article and discuss how to avoid a few stumbling blocks.

Changing Default IIS Paths After Installation
To change the default paths of IIS after installation, you can use VBScript to move the folders to a new location and modify the metabase so that IIS recognizes the new paths for the files. The script in Web Listing 1 (http://www.windowswebsolutions.com, InstantDoc ID 25987—which I found in a Microsoft article that no longer exists on the Microsoft site), provides a sample script you can use to relocate the Web and FTP folders. However, the article doesn't explain how to move the SMTP or NNTP folders. In addition, the script has some aspects that administrators need to consider before executing it. The script

• doesn't include the parameters for moving the NNTP folders if they're installed.
• assumes that the machine that has a D drive includes the folders on the SMTP site, so if the SMTP service isn't installed, you need to comment out these lines before running the script.
• assumes that IIS is already installed on the system and in the default locations.
• uses the adsutil.vbs file and expects to locate the file in the C:\inetpub\adminscripts folder.
• copies the files instead of moving them, leaving the files in the old locations on the system.

Despite these catches, the default script does significant error checking and can work well for systems on which IIS is already installed. The script also relocates the Index Service catalogs at the same time it changes the IIS file locations. Another plus is that you don't need to stop the services for IIS or Index Server because the script stops the services and restarts them when finished. You can easily walk around the script's glitches by editing the script, either modifying lines or commenting them out.

To use the script, save the file with a name such as autoweb.vbs (or choose another name, but be sure to use the .vbs extension), as Web Listing 1 shows. To comment out a line, place an apostrophe ( ' ) at the beginning of the line, which will cause the script engine to ignore the line information and continue processing. To modify the path, use Notepad or another text editor to search the file for INETPUB and replace the path with the top-level folder you choose for the location of the IIS files.

You need to modify the default script to move the NNTP folders and files. Because the script doesn't include the parameters for the NNTP folders and files, adding this information for the service will cause the script to fail if the NNTP service isn't present. However, the script will work if the NNTP parameters aren't present in the script but the service is present. To modify the default script, download the autoweb file, follow these steps as you edit the file in a text editor, or download Web Listing 2 and edit the script in a text editor.

1. Change the line DIM PARAMS (7) to DIM PARAMS (21). This step modifies the variables within the script.
2. Change the line DIM PARAMS2 (3) to DIM PARAMS2 (4)
3. On the next line down from the line that begins with "Params (7) =", add the lines that Web Listing 2 shows.
4. Add
   
   Params2 (4) = "nntpsvc"
   
   on the next line below Params2 (3) ="w3csvc".