Microsoft Security Decisions

  • Post author:
  • Post category:Uncategorized

I ran across another security blunder Microsoft made, at least that’s how I see it. Say you install service pack 1 for Windows 2003 server. One of the ‘security fixes’ SP 1 makes is to turn the Parent Paths feature off in IIS 6.0. The rest of the IT world (outside of MS IIS) knows Parent Paths as relative paths. Relative paths allow you to reference files that aren’t in the current directory without having to code an absolute path like http://www.example.tld/users.html. I have used relative paths for many years, and I love them. They allow me to code and test my site on my local machine, then upload it to the server without all the links breaking.
Microsoft posted a support response to explain why Windows 2003’s SP1 disables relative paths, and they say it was for security reasons. Further researched revealed that it is possible to use ASP includes to get a file outside of the web site’s root, which is an obvious security hole. So instead of fixing that in ASP, they just disable all relative paths by default! It reminds me of how MS blocks a lot of useful files in Outlook now, and it requires a registry hack to allow them (which doesn’t work if you’re on an Exchange domain, at least at my job). That’s like removing your hands because you might touch a hot pan, when you could just use hot pads. When will MS grow a brain?