Issue: My site uses Web Connection and my Administrator has complained that the wc.ini file is visible to any Web user who knows where to look for the file with a URL like this: http://www.yoursite.com/wconnect/wc.ini

WC.INI doesn't contain compromising data, so viewing this file all by itself won't expose any security leaks, but some adminstrators may feel that the information in this file should not be exposed anyway as it gives out partially useful information. The critical keys that may cause problems are:

AdminAccount=UserAccountName  ; or Any or blank (not a good idea <s>)
AdminPage=/admin/admin.asp

Also, possible the names of Automation servers may be an issue. By themselves these keys are not damaging. The Account obviously still requires a password which is not listed and the Admin page may be protected with directory permissions either on the file itself or in a directory that doesn't allow access for the Internet user (IUSR_).

You cannot change permissions on wc.ini because the ISAPI DLL still requires access to the INI and the DLL runs under the same anonymous IUSR_ account that public Internet users use to access the site.

Solution
The best way to address this issue is to create a custom script map in the IIS 4 service manager. You can do this either in the WCONNECT virtual directory that hosts wc.dll or on the server root. Doing it on the root forces this change globally on the server.

In the Home Page section of the IIS 4 MMC click Configuration. Add a scrpit map for the INI extension and point it at wc.dll.

Now when you try to access any INI file your Web Connection server will handle the request. Since it isn't set up to handle INI files you'll simply get an error message that says Unhandled request, which is fine for snoopy hackers <s>... If you want a more fancy message you can add a script map handler into your wcMain::Process method.

Another way to get around the problem entirely is to move wc.dll and wc.ini into a scripts only directory and always reference your scripts through a scriptmap. For example instead of /wconnect/wc.dll?wwDemo~TestPage use /myvirtual/wc.wc?wwDemo~Testpage. The scriptmap handles the request routing and doesn't give away the location of wc.ini.

Note: You should not add NT account restrictions on wc.ini. The Web Connection ISAPI DLL requires access to this file using the IUSR_ account under which the ISAPI request is fired from the Web server. If you change permissions to disallow access by IUSR_ wc.ini will not be read and updated from maintainence page links. This can lead to unpredictable results as the defaults will still work, which may or may not match the settings in the INI file. Don't do it! <s>