Why is it good to have website content files on a separate drive other than system (OS) drive?

iis web-server security iis-7.5 audit
5,329

Solution 1

One reason is that if you have dynamically created content that is put into that directory and it runs wild, you may crash the OS if it runs full-disk. This will not happen if a non-system partition runs full-disk, it will probably just crash your app.

Solution 2

While separate partitions were advocated in the past they are not really required. If there's a security compromise it's your machine that's up for grabs, not just a partition.

The issue MarkM raised can be addressed by monitoring disk space, which I believe should be employed on all servers anyway, and alerts issued when the space gets below preset thresholds. It's not too difficult to add change rate monitoring and restart applications or even the server itself in the event of a runaway process.

Solution 3

the only security reason I can think of is parent paths... if you have a website hosted out of c:\wwwroot and had a poor IIS configuration someone could get to content hosted on the same partition. I beleive this was an issue with IIS 5

Other than that the main reason would be logs and other content filling up your system partition (as mentioned by MarkM)

Share:
5,329
Jeffrey
Author by

Jeffrey

Updated on September 18, 2022

Comments

  • Jeffrey
    Jeffrey over 1 year

    I am wondering what benefits will give me to move all website content files from the default inetpub directory (C:) to something like D:\wwwroot. By default IIS creates separate application pool for each website and I am using the built-in user and group (IURS) as the authentication method. I’ve made sure each site directory has the appropriate permission settings so I am not sure what benefits I will gain. Some of the environment settings are as below:

    • VMWare Windows 2008 R2 64
    • IIS 7.5
    • C:\inetpub\site1
    • C:\inetpub\site2

    Also as this article (moving the iis7 inetpub directory to a different drive) points out, not sure if it's worth the trouble to migrate files to a different drive:

    PLEASE BE AWARE OF THE FOLLOWING: WINDOWS SERVICING EVENTS (I.E. HOTFIXES AND SERVICE PACKS) WOULD STILL REPLACE FILES IN THE ORIGINAL DIRECTORIES. THE LIKELIHOOD THAT FILES IN THE INETPUB DIRECTORIES HAVE TO BE REPLACED BY SERVICING IS LOW BUT FOR THIS REASON DELETING THE ORIGINAL DIRECTORIES IS NOT POSSIBLE.

  • Jeffrey
    Jeffrey about 14 years
    Yes it is a valid reason but I don't see it to be that "security" related. It's more to do with reliability than security do you agree?
  • MDMarra
    MDMarra about 14 years
    @Jeffery - Agreed. I didn't see anything in your question asking for security benefits, just benefits in general. My mistake if I misunderstood you.
  • Philip
    Philip about 14 years
    It does depend a bit on the OS too. I've filled a Win2008 C: drive and Windows did not crash. I know that was generally not the case in 2003 or especially before.
  • MDMarra
    MDMarra about 14 years
    @Chris S - Agreed, '08 isn't bulletproof though when it comes to full-disk scenarios. Load up a couple in test and see. It does seem to be more resilient to it than '03 was though.
  • mfinni
    mfinni about 14 years
    Yeah - the recommendation was much more important under older Windows/IIS versions. With static content and a modern OS/IIS, it matters much less.
  • commandbreak
    commandbreak about 14 years
    I wasn't referencing a security compromise, as such, more of an unsecure configuration which would allow someone to traverse out of c:\wwwroot
  • Axel
    Axel about 10 years
    It is unlikely to crash but it may stop things being logged as there is no room to expand log files, and can cause updates to fail in a way that makes them hard to retry. It is considered a security issue because it could be used as part of a denial of service attack our to make other attacks harder to see/diagnose because of the logining issue.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Anonymous Authentication <anonymousAuthentication> / 403 - Forbidden: Access is denied
DOS attack "slow post" : How to prevent in IIS
Is it possible to log additional HTTP headers in IIS logs?
IIS 7 What does Physical path credentials logon type mean?
What are the "to-do" on protecting Windows server facing the web?
Troubleshooting Windows Authentication problems (no challenge) in IIS 7.5?
Why does my ASP.NET 4.0 web service fail with a compliation error with NetworkService but succeed with LocalSystem
IIS7 give ApplicationPoolIdentity access to a network location
Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles
Precompilation related error from an ASP.NET website that is NOT precomplied