In April 2025, Microsoft's Patch Tuesday update for Windows 11, specifically update KB5055523, introduced a new folder named 'inetpub' on the system drive. This unexpected addition has raised questions and concerns among users and IT professionals. This article delves into the background, purpose, security implications, and recommended actions regarding the 'inetpub' folder.

Background: The 'inetpub' Folder in Windows 11

Traditionally, the 'inetpub' folder is associated with Microsoft's Internet Information Services (IIS), a web server platform used to host websites and web applications. When IIS is enabled, 'inetpub' serves as the default directory for storing website content, system logs, and related files. However, in the April 2025 update, this folder was created on systems regardless of whether IIS was installed or active. Microsoft clarified that this behavior is part of changes aimed at enhancing system protection and does not require any action from IT administrators or end users. (support.microsoft.com)

Purpose: Mitigating CVE-2025-21204

The creation of the 'inetpub' folder is directly linked to addressing a critical security vulnerability identified as CVE-2025-21204. This flaw pertains to the Windows Process Activation Service and involves improper handling of symbolic links (symlinks). Malicious local attackers could exploit this vulnerability to redirect system operations to unauthorized files or directories, potentially leading to elevation of privileges or unauthorized file access. By preemptively creating the 'inetpub' folder with strict system-level permissions, Microsoft aimed to block potential symlink attack vectors, thereby enhancing system security. (support.microsoft.com)

Security Implications: The Junction Point Exploit

While the 'inetpub' folder was intended as a protective measure, security researcher Kevin Beaumont discovered that it inadvertently introduced a new vulnerability. By using the Windows command-line tool 'mklink' with the '/j' parameter, an attacker or even a non-privileged user could create a directory junction that redirects the 'inetpub' folder to a critical system executable, such as 'notepad.exe'. This redirection could cause Windows Update to fail when interacting with the 'inetpub' folder, leading to update rollbacks and effectively blocking the application of essential security patches. Alarmingly, this exploit does not require administrative privileges, meaning standard users could disrupt the update process without elevated rights. (windowsforum.com)

Mitigation Strategies: Restoring the 'inetpub' Folder

If the 'inetpub' folder has been deleted, Microsoft recommends restoring it to maintain the integrity of the security patch. One method is to enable Internet Information Services (IIS) temporarily:

  1. Open the Control Panel.
  2. Navigate to 'Programs' > 'Programs and Features'.
  3. Click on 'Turn Windows features on or off'.
  4. Check the box for 'Internet Information Services'.
  5. Click 'OK' to apply the changes.

This process will recreate the 'inetpub' folder with the correct security permissions. After restoration, IIS can be disabled again without deleting the folder, thus preserving the security fix. (windowsforum.com)

Conclusion

The introduction of the 'inetpub' folder in the Windows 11 April 2025 update serves as a proactive measure to mitigate a significant security vulnerability. While it has led to some confusion and the discovery of new potential exploits, understanding its purpose and the recommended mitigation strategies can help users and IT professionals maintain system security and integrity.

Reference Links