Re: About That “inetpub” Folder ...

On Tue, 6/10/2025 2:08 AM, vallor wrote:

On Tue, 10 Jun 2025 01:14:27 -0400, Paul <nospam@needed.invalid> wrote in
<1028evl$129fb$1@dont-email.me>:
 

On Mon, 6/9/2025 7:58 PM, Lawrence D'Oliveiro wrote:

Lately, a mysterious empty folder called “inetpub” has been appearing
on Windows machines after recent Microsoft security updates. Some were
old enough to remember that this folder was part of the installation
of Internet Information Server, which was Microsoft’s attempt to
compete with the open-source heavyweights in the web server world. It
was a product that was infamous for its security vulnerabilities, so
when people saw this familiar name reappear out of the dead past, it
was no surprise that some went “Aieeee! Security hole! Delete!
Delete!”.
>
But it turns out that this is no bug, it’s a feature! It is somehow a
required part of Microsoft’s current security mechanisms for Windows.
(How? Why? Nobody seems able to explain ...) And not only that, if you
delete it (accidentally or otherwise), you cannot simply fix things by
recreating a folder in the same location with the same name.
>
Instead, you have to go through the rigmarole of downloading and
running some PowerShell script that Microsoft helpfully provides
<https://www.tomshardware.com/software/windows/if-you-deleted-that-mysterious-windows-file-microsoft-told-you-not-to-theres-a-new-script-to-restore-it>.
>
Even running the script is not a straightforward process: it requires
the entry of several cumbersome and error-prone shell commands.
>

>
C:\>dir
 Volume in drive C is W11HOME
 Volume Serial Number is
>
 Directory of C:\
>
Mon, 06/12/2023  03:19 AM    <DIR>          AMD
Thu, 11/24/2022  06:13 PM    <DIR>          boot
Sun, 07/17/2022  12:33 PM    <DIR>          cygwin
Mon, 05/23/2022  10:49 PM            12,288 DumpStack.log
Thu, 12/19/2024  07:57 PM    <DIR>          ESD
Wed, 04/09/2025  02:05 AM    <DIR>          inetpub   <=== very pretty, I saw that...
Sat, 04/23/2022  11:17 PM    <DIR>          MinGW
Sat, 05/07/2022  01:24 AM    <DIR>          PerfLogs
Mon, 06/09/2025  11:07 PM    <DIR>          Program Files
Sat, 05/10/2025  06:40 PM    <DIR>          Program Files (x86)
Wed, 02/16/2022  11:06 AM           357,548 Reflect_Install.log
Wed, 05/28/2025  09:05 AM                94 rescuepe.log
Wed, 05/28/2025  08:00 AM    <DIR>          Temp
Thu, 09/22/2022  06:16 AM    <DIR>          Users
Wed, 05/14/2025  12:40 AM    <DIR>          Windows
>
I didn't spend more than about five seconds thinking about that when
I saw it. I just... moved on.
>
*******
>
I don't see anyone taking credit for this cheese&cracker spree.
>
https://www.powershellgallery.com/packages/Set-InetpubFolderAcl/1.0/Content/Set-InetpubFolderAcl.ps1
>
    $sddlInetpub = "O:SYG:SYD:P(A;CIOI;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;CO)"
>
It's better to print them out stacked. Now, compare to the Security tab on the thing.
>
$sddlInetpub = "O:SYG:SYD:P
                (A;CIOI;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
                (A;CIOI;GA;;;SY)
                (A;CIOI;GA;;;BA)
                (A;CIOI;GRGX;;;BU)
                (A;CIOI;GA;;;CO)"
>
And roughly translated, that means:
>
   "Don't fuck with me, I have the death sentence on twelve planets."

 
Could you translate that into something more technical? 

If every time this topic comes up (an ICACLS representation of a security tab),
and you see a new pattern and a new feature, exactly how good of an explanation
can you give for these things ? I'm no good at parsing these.

I know one of them is for SYSTEM, one for Administrator, one for User,
but the CIOI, I'd have to go look that up.

Ordinary folders are not owned by TrustedInstaller. Typically, only materials
to be installed have that ownership ("Program Files"). The TrustedInstaller seems to have
the same permissions in the example, as Administrator and SYSTEM.

What you could do, is plug that into CoPilot and ask for an English description
of the permissions :-)

I'm going to run this now, and see what my untarnished folder looks like.

icacls  c:\inetpub   /save D:\perms.txt   /t /c >  D:\Err.txt  2>&1

The contents of perms.txt (which can be played back with a /restore) are [two lines]:

inetpub
D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)S:AINO_ACCESS_CONTROL

Which if stacked so a human could parse them...

inetpub
D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
     (A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
     (A;;FA;;;SY)
     (A;OICIIO;GA;;;SY)
     (A;;FA;;;BA)
     (A;OICIIO;GA;;;BA)
     (A;;0x1200a9;;;BU)
     (A;OICIIO;GXGR;;;BU)
     (A;OICIIO;GA;;;CO)S:AINO_ACCESS_CONTROL              <=== immutable Creator-Owner ???

The script then, may not be doing the same thing as what is present
at the current time.

In any case, if we use the Security tab, it looks like some sort of
attempt to keep the "Creator Owner" from modifying the folder itself,
while more or less letting other security principles continue to have
the normal level of control. TrustedInstaller, SYSTEM, and Administrator
still have Full Control, the Users (BU) don't have full control, and
the Creator-Owner, the folder looks unmoveable for them. You can't download
over top of it or something. But why anything would even be using that
folder, I haven't a clue. I thought IIS was limited to only certain OS
SKUs and the CVE doesn't suggest that is the exposure.

(That guy ended up

with his buddy's arm on the barroom floor, and I'd like to avoid any
Imperial entanglements.)
 
Can I remove the ACL for the trusted installer, for example?  Hey, wait a second...
 
Okay, just had a conversation with ChatGPT, which says I can completely remove
the ACL and I won't have to worry about anything trying to use the funny directory.
 
What do you think?  Will that prevent scurrilous ruffians from haxoring my
Windows virtual machine?

If you are going to remove the security properties, then you might as well
just delete the folder. Then, the Creator-Owner will have control of it,
which is not supposed to be good.

I would think, just the Creator-Owner line could do the job, but if other
accounts are not granted permissions, then somehow "normal business" in
the folder could not be carried out. And at this point, we don't know
what this normal business would be. Unless the idea is, to get IIS to try
to read the folder and some contents.

There is an "iissetup.exe" on my machine, implying it can be installed.
I thought the last time I tried that, it didn't work.

   Paul