Introduction

The recent April 2025 cumulative update for Windows 11 introduced a seemingly innocuous yet security-critical addition: an empty folder named "inetpub" appearing on the root of the system drive (usually C:\inetpub). Traditionally, the inetpub folder is tied to Microsoft's Internet Information Services (IIS), a web server directory only present if IIS is installed. However, its forced creation on all Windows 11 systems, regardless of IIS usage, sparked confusion and security concerns among users and IT professionals alike.

This article provides a comprehensive examination of the inetpub folder's emergence, the security context behind it, the paradoxical vulnerability it introduces, and practical mitigation steps pending a permanent fix from Microsoft.

Background: The Inetpub Folder and Its Traditional Role

Historically, the inetpub folder houses IIS content such as webpages, logs, scripts, and administrative files, present only when web services are enabled.

With the Windows 11 April 2025 update (KB5055523), Microsoft began creating this folder universally—even on machines without IIS configured. This is not an accidental residue but a deliberate security strategy linked to the critical vulnerability CVE-2025-21204.

Security Context: CVE-2025-21204 and Symbolic Link Exploits

CVE-2025-21204 is a vulnerability involving symbolic link (symlink) mishandling within the Windows Update servicing stack. Symlinks are filesystem objects that redirect file operations to other targets—if manipulated maliciously by local attackers, they could redirect Windows Update operations to unauthorized locations, enabling privilege escalation or tampering with critical system files.

To combat this, Microsoft implemented the inetpub folder as a secured, hardened container:

  • It is created with strict permissions, owned by SYSTEM and TrustedInstaller.
  • Ordinary users, including administrators, are denied write and delete access.
  • The folder serves as a trusted staging ground for update files, preventing malicious symlink redirection during update operations.

The Paradox: Inetpub as Both Shield and Vulnerability

While the inetpub folder was introduced to close a serious exploit avenue, it ironically introduced a new security concern.

Security researcher Kevin Beaumont demonstrated that non-administrative users could exploit the folder by deleting the legit inetpub folder and replacing it with a directory junction (a type of symlink for directories) pointing to arbitrary files, e.g., Notepad.exe:

CODEBLOCK0

Because the Windows servicing stack runs with SYSTEM privileges and blindly trusts the inetpub path without verifying whether it is a reparse point (junction or symlink) or validating ownership, such redirections cause Windows Update to fail or roll back. This effectively blocks the update process, creating a local denial-of-service (DoS) attack vector for Windows Update.

Key points:
  • This exploit requires no administrative privileges.
  • It can be performed by any local user with command line access.
  • It disrupts critical security patches by sabotaging the update mechanism.

Implications and Impact

This situation illustrates several broader challenges in operating system security:

  • Complexity of fixes: A security patch meant to solve one vulnerability can unintentionally create a new attack surface.
  • Low bar for attack: Since no elevated privileges are needed, the attack is practical in multi-user environments, corporate PCs, or shared systems.
  • Patch management hurdles: Failed updates confuse users and admins and may expose devices to unpatched vulnerabilities.

System administrators and security teams must be aware of this double-edged nature of the inetpub folder, balancing its protective role with the new risks it introduces.

Technical Details: Permissions and Hardening

Folder permissions:
  • Owner: SYSTEM and TrustedInstaller
  • Full control granted only to these system accounts
  • Non-system users, including local admins, denied modify, write, or delete rights
Exploit mechanism: Without permission hardening, any user can delete the folder and create a junction redirecting the path. Mitigation:

Until Microsoft releases a definitive patch, the best mitigation is manually tightening inetpub folder permissions:

  1. Right-click C:\inetpub, choose Properties.
  2. Navigate to the Security tab > Advanced settings.
  3. Disable inheritance and remove all inherited permissions.
  4. Add explicit Full Control permissions only for SYSTEM and NT SERVICE\TrustedInstaller.
  5. Confirm and apply changes.

This blocks unauthorized junction creation or deletion attempts by non-system accounts, preserving Windows Update functionality.

Microsoft's Guidance and Current Status

Microsoft strongly advises not to delete the inetpub folder, as doing so disables the security patch against CVE-2025-21204 and exposes systems to symbolic link attacks.

If the folder is accidentally removed, Microsoft recommends:

  • Re-enabling IIS temporarily through "Turn Windows features on or off" to restore inetpub with correct permissions.
  • Reinstalling the April 2025 update (or respective cumulative updates) to recreate the folder.

As of now, Microsoft has not issued a fix specifically addressing the directory junction exploit vulnerability itself but continues to recommend these workarounds.

Conclusion

The inetpub folder's introduction in Windows 11's April 2025 update symbolizes a modern security balancing act—adding system components to protect critical processes while inadvertently opening new local attack vectors. Awareness, permission hardening, and adherence to Microsoft's guidelines are essential to safeguarding your Windows 11 environment.

This case underscores the evolving challenges in operating system security, where defensive architecture must be continuously refined to address complex, layered threats.