Frontpage files

["Burnett, Robert" <burnettr () Fortrex com>]

Hello,

When pentesting, I sometimes come across web servers that have the _vti_bin and all the other _vti_* directories 
present even though Frontpage Extensions have been disabled.  In IIS, when you disable the Extensions, shouldn't those 
directories be removed as well?  Or are they still needed for some reason?  I have developed a website using Frontpage 
before, and I noticed that the Frontpage-generated HTML would often invoke scripts located in the "_fpclass" folder, 
but not the _vti_* folders.

My second question is, if Frontpage Extensions are disabled, and those directories are still present, can files inside 
them (e.g. author.dll, admin.dll) still be exploited in any way, or are they harmless?

Thanks.

Robert
----------------------------------------------------------------------------------------------------

Confidentiality Notice
The content of this communication, along with any attachments, is covered by federal and state law governing electronic 
communications and may contain confidential and legally privileged information.  If the reader of this message is not 
the intended recipient, you are hereby notified that any dissemination, distribution, use or copying of the information 
contained herein is strictly prohibited.  If you have received this communication in error, please immediately contact 
us by telephone at (301) 977-6966 or e-mail info () fortrex com.  Thank you.