Microsoft IIS tilde directory enumeration
Description
Microsoft IIS servers may expose short file and directory names (8.3 format) through tilde character (~) enumeration techniques. This vulnerability affects files and directories that have 8.3 naming scheme equivalents in Windows, particularly those with extensions longer than three characters such as .aspx files. Attackers can exploit this behavior to discover hidden or sensitive files and directories that are not intended to be publicly accessible, which is especially critical for .NET applications vulnerable to direct URL access attacks.
Remediation
Implement one or more of the following mitigation strategies:
1. Disable 8.3 short name generation on the server: Run the following command as Administrator to disable short names for the system drive (requires reboot):
fsutil behavior set disable8dot3 1
2. Upgrade IIS: Update to the latest version of IIS and apply all security patches, as newer versions include mitigations for this vulnerability.
3. Configure URL filtering: Block requests containing the tilde (~) character and asterisk (*) patterns in the URL using IIS Request Filtering or a Web Application Firewall (WAF).
4. Disable short names for existing files: For existing systems, use tools to remove short names from files and directories in web-accessible locations.
Refer to Soroush Dalili's research paper (listed in references) for comprehensive prevention techniques and additional configuration guidance.