Bugtraq mailing list archives

Re: Win32 File Naming (again)

From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Mon, 16 Aug 1999 12:12:47 -0700


At 01:58 PM 8/14/99 -0700, x-empt [ lvhc / lou ] wrote:

While testing IIS security, I was able to locate an old flaw which is
still present in  many server services on  Win32.  The  problem deals
with a compatibility issue with the old  Win16/DOS file naming system
known as the 8.3 naming system.


<snip>

One well-known workaround for this issue that will take care of this
problem, regardless of the server software, is to disable 8.3 filenames.
If you open the following registry key:

HKEY_LOCAL_MACHINE\System
        \CurrentControlSet
                \Control
                        \FileSystem

And create a value named NtfsDisable8dot3NameCreation, type REG_DWORD, and
set it to 1, then the operating system will not create 8.3 filenames (I
think you'd have to reboot for it to take effect).  Note that this isn't
retroactive, so you'd need to move any trees you want updated, and then
move them back.  This is something that should be on anyone's checklist
when setting up a web or FTP server prior to putting content on that server.

BTW, setting this value also gets you a modest improvement in file system
performance.  It will also break 16-bit apps, but hopefully you're not
running any antique applications on your server.  As always, test this sort
of change thoroughly before putting it into production.

Oh - and obviously this only works if you're using NTFS.

David LeBlanc
dleblanc () mindspring com

Current thread:

IIS 4.0 remote DoS (MS99-029) Nobuo Miwa (Aug 11)
- Re: IIS 4.0 remote DoS (MS99-029) Chuck Rock (Aug 13)
- Win32 File Naming (again) x-empt [ lvhc / lou ] (Aug 14)
  - Re: Win32 File Naming (again) David LeBlanc (Aug 16)
  - Re: Win32 File Naming (again) Marc Slemko (Aug 16)