Move the IIS default path on Windows Server 2008 or later

For security reason, administrators might be needed to move the default IIS path, Inetpub, to non-system drive. 

According to KB2752331, IIS is a core Windows component and cannot be installed on a non-system drive and Moving the Inetpub folder structure completely off of the system drive is not supported.

It seems that Microsoft doesn't suggest moving the default IIS path to non-system drive and administrators can select to save websites or applications to other folders and drives.  

However, Microsoft recommended to move the Inetpub to a different partition to save space and improve security in Security Best Practices for IIS 8 article.

Anyway, Microsoft provided the script for us to moving to a different drive but the script isn't supported by Microsoft. Administrators might take their own risk to perform this script to move the IIS default path.

The script example like this.

Prerequisite

• Copy and save the script as a bat file from KB2752331 or download it from IIS7: Moving the INETPUB directory to a different drive

Lab
Assuming that administrator logged in the IIS server.

1. After installing IIS, launch "Command Prompt" as administrator.
2. Perform the script file like this.

Remark: D is a destination drive letter. Administrators have to provide the drive letter for moving.

3. Perform "xcopy c:\inetpub d:\inetpub /E /O /I" to copy all contents with ACL to a new IIS path.

As a result, the default contents of IIS have move to a new path. However, administrators shouldn't delete the original IIS default path on the system drive.

References:
Guidance for relocation of IIS 7.0 and IIS 7.5 content directories

Security Best Practices for IIS 8

IIS7: Moving the INETPUB directory to a different drive

This posting is provided “AS IS” with no warranties, and confers no rights!

Event ID 4625 and 6037 in SharePoint 2010 front-end servers

When I try to log in the web application in a SharePoint 2010 front-end server, I cannot log in and I get the following warning in Security and System Event log.

Cause

The "loopback security check" feature is enabled in the IIS server. It prevents to access to a web application using a fully qualified domain name (FQDN).

Resolution

There are 2 methods to solve this issue.

1. Specify host names (Preferred method if NTLM authentication is desired)

1. On the front-end server, log in as a local or domain administrator.

2. Launch "Registry Editor".

3. Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0".

4. Right-click "MSV1_0", create a new "Multi-String Value" named "BackConnectionHostNames".

5. Double-click "BackConnectionHostNames".

6. Type host names which are hosted in the local computer.

7. Click "OK".

8. Restart the server.

2. Disable the loopback check

1. On the front-end server, log in as a local or domain administrator.
2. Launch "Registry Editor".

3. Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA".

4. Right-click "LSA", create a new "DWORD Value" named "DisableLoopbackCheck".

5. Double-click "DisableLoopbackCheck".
6. Under "Value data", type "1".

7. Click "OK".

8. Restart the server.

Reference:

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version

http://support.microsoft.com/kb/896861

DisableLoopbackCheck. Lets do it the right way

http://blogs.technet.com/b/sharepoint_foxhole/archive/2010/06/21/disableloopbackcheck-lets-do-it-the-right-way.aspx

This posting is provided “AS IS” with no warranties, and confers no rights!