IIS Tilde Enumeration

Description

IIS Tilde Enumeration (sometimes referred to as the IIS Short Filename Vulnerability) leverages how Windows systems historically support 8.3 short filenames. When running Microsoft Internet Information Services (IIS), attackers can use requests referencing truncated directory or file names that include a tilde character (~), such as FOLDER~1, to probe for the existence of hidden directories or files. By systematically guessing these short names, an attacker may discover sensitive paths or filenames that should not be publicly exposed.

This issue stems from legacy DOS-compatible naming schemes in Windows. If short filename creation is enabled on the file system, each long filename also has an 8.3-compatible alias. IIS, depending on its configuration, may respond differently when a correct or incorrect short name is requested, thus exposing otherwise undisclosed directory or file structures.

Examples

Discovering Hidden Folders

If the legitimate folder on the server is SecretAdmin, the 8.3 short name might be SECRE~1. An attacker might probe the server with URLs like:

GET /SECRE~1/ HTTP/1.1
Host: example.com
  • If the server responds with a 200 OK (or a 403/401 implying it exists but is restricted), the attacker learns the folder likely exists.
  • If it responds with a 404 Not Found, the guess was incorrect and they move on to another short name guess.

Enumerating File Names

Similarly, if a file is named ImportantConfig.txt in the Config directory, the attacker might test requests for IMPOR~1.TXT in that directory:

GET /Config/IMPOR~1.TXT HTTP/1.1
Host: example.com

Differences in the server's response codes or error messages can reveal the presence of that file even if it is not directly linked anywhere on the site.

Remediation

  1. Disable 8.3 Filename Creation

    • If your Windows version and application setup allow it, you can disable 8.3 short file name generation on new volumes using registry settings or system policies.
    • (Be mindful that changing this setting may impact legacy applications.)
    • For example, on some Windows systems, you can modify:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
NtfsDisable8dot3NameCreation = 1

  2. Apply Security Patches and Updates

    • Ensure you are running a fully updated version of IIS and Windows.
    • Microsoft has released updates over time that reduce the leak of file or directory info via the short name mechanism.

  3. Restrict Folder and File Access

    • Use proper Access Control Lists (ACLs) to lock down sensitive directories and files, preventing unauthorized access even if short filename enumeration reveals their existence.
    • Set up robust authorization checks within IIS to ensure only intended users can access critical resources.