Share via


Enabling Parent Paths

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Enabling parent paths specifies whether an ASP page allows paths relative to the current directory (using the ..\ notation). If set to true, this property constitutes a potential security risk, because an include path could access critical or confidential files outside the root directory of the application.

In IIS 6.0, parent paths are no longer enabled by default. This affects your application if it has a Web page that contains the #include server-side include directive and uses ".." notation to refer to a parent directory. Enabling parent paths corresponds to the metabase setting, AspEnableParentPaths Metabase Property.

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

To enable parent paths

  1. In IIS Manager, double-click the local computer, right-click the starting-point directory of the application you want to configure, and then click Properties.

  2. Click the Directory tab, and then click Configuration.

  3. Click the Options tab.

  4. In the Application configuration section, select the Enable parent paths check box.

  5. Click OK.