How to Fix Microsoft IIS Tilde Character Short File/Folder Name Disclosure


Microsoft Internet Information Server (IIS) suffers from a vulnerability which allows the detection of short names of files and directories which have en equivalent in the 8.3 version of the file naming scheme. By crafting specific requests containing the tilde ‘~‘ character, an attacker could leverage this vulnerability to find files or directories that are normally not visible and gain access to sensitive information. Given the underlying filesystem calls generated by the remote server, the attacker could also attempt a denial of service on the target application.


Method 1
Run the following command at a command prompt:
fsutil behavior set disable8dot3 1
And then restart the computer.

Method 2

Click Start, click Run, type regedit, and then click OK.

Locate and then click the registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem.

Right-click NtfsDisable8dot3NameCreation, and then click Modify.

In the Value data box, type 1, and then click OK.

Note: The default value is 0.

Exit Registry Editor.

To make this registry change effective, restart the computer.