Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier

We previously discussed how the inetpub folder in Windows is crucial and should not be deleted due to security concerns. Ironically, the presence of this folder poses a security risk in itself. It's surprisingly simple for even non-administrative users to manipulate this folder, potentially compromising your PC's security. Let's delve into how the inetpub folder can be exploited and what you can do to protect your system until Microsoft offers a permanent fix.

How Can the Inetpub Folder Be Exploited?

Starting with the April 2025 cumulative update for Windows 11, an empty inetpub folder is now created in the C drive. This update aimed to fix a vulnerability that allowed attackers to use absent directories to insert symlinks into the Windows Update stack. However, attackers can still exploit this by replacing the folder with a directory junction, causing Windows Update to target the wrong location and fail.

Any user with access to your PC can execute a simple command without admin rights to alter the inetpub folder's final directory. As noted by security expert Kevin Beaumont, executing the command mklink /J C:\inetpub C:\Windows\System32\notepad.exe can redirect the folder to point to Notepad or any other file, leading to Windows update failures.

Internally, the Windows Servicing Stack operates as SYSTEM and regards C:\inetpub as a secure directory. It does not verify for reparse points or ownership, so when it attempts to place files there and encounters a junction to a file, the update process either fails or reverts.

A Temporary Fix for This Vulnerability

Microsoft has yet to address this vulnerability or confirm if a solution will be included in future updates. In the meantime, you can implement measures to reduce the risk of this vulnerability being exploited.

Creating a directory junction necessitates write/delete permissions on the parent folder. By removing these permissions from all user accounts, while still allowing SYSTEM and TrustedInstaller to retain them, you prevent any non-system process (including admins) from using mklink /J on “C:\inetpub”. Here’s how to do it:

On the C drive, right-click the inetpub folder and choose Properties.

Navigate to the Security tab and click on Advanced at the bottom.

Click Disable inheritance, and when prompted, select Remove all inherited permissions from this object.

Click Add, then Select a principal. In the next window, type SYSTEM, click Check Names, and then OK.

Under Basic permissions, choose Full control and click OK.

Repeat the Add principal process, this time entering NT SERVICE\TrustedInstaller, granting Full control, and clicking OK. Close all windows by clicking OK.

Now, no users can access or modify the folder, and any attempt will trigger a Windows permission denied message. Windows and its updater will still have access to update the PC.

To undo these changes, revisit the Advanced Security Settings window, click Enable inheritance, and then Apply.

This action will restore the original permissions. Simply delete the manually added SYSTEM and TrustedInstaller entries by selecting them and clicking Remove.

This approach should safeguard your PC until Microsoft resolves the vulnerability. The adjusted permissions should facilitate smooth Windows updates. If you encounter issues with Windows updates, consider resetting the Windows update components before reverting these permissions.

The above is the detailed content of Windows 11's New Inetpub Folder is Hackable. Try This Temporary Fix - Make Tech Easier. For more information, please follow other related articles on the PHP Chinese website!