IIS can detect when the path is local or remote even when network mappings make the drive appear local. Therefore, for access to be granted, IIS must obtain credentials with permissions to the remote share. These credentials (the user ID and password) are encrypted and stored in the IIS metabase, but are available through an Application Programming Interface (API). If normal security practices are not followed, this can potentially pose a risk to secure operation of the server.
Server administrators should never allow untrusted code to run on the server. The potential damage that can result from allowing an untrusted user to run code on the server goes far beyond this specific incident.
For any Web site or virtual directory with a share, Microsoft recommends that you carefully plan permissions and do not use any accounts with administrative-level permissions.
If good security guidelines are followed, then this should not pose a security risk. However, there is a possibility that this information can be extracted from the metabase if the wrong security permissions are placed on the IIS server.
The information in this article was tested with Active Server Pages (ASP) and the GetObject method of the IIS provider. A vulnerability was discovered with the correct code method; however, the root cause of the problem is incorrect security permissions.