Securing Directory and Data Structures in Internet Information Services (IIS) 7
Organizing the file system hierarchy or structure of the root of the web site is important in the security of a Web server. The root is the top level of directory structure of the web site.It is an important security practice to store all the contents .HTML files, .HTML files, CSS files, JavaScript files, Image files, sound files etc) of the web site within the root.
Another important feature available with latest Web Servers including Internet Information Services (IIS) 7 is Virtual Directories. Virtual directories are folders that are not contained within the Web server file system hierarchy (they can even be on a file system on a different computer), but appear to the user to be part of file system hierarchy of the web site. This is a great feature which helps to conceal the real file system structure of the web site. It is always ideal to configure the Virtual Directories within DMZ itself and not to configure Virtual Directories in an internal computer. If the Web Server is compromised by an intruder, he may then gain access to internal computer.
If the web users need access to data within a database, it is ideal to configure a database for the web server, which is only read only to the web user or web server process. Any write to the database for the web server should be only from the protected internal database server. It the user input from the web pages is need to be stored inside the database server, all the server-side sripts and the SQL queries should be verified thorughly for any any vulnerability and all the inputs should be validated to prevent attacks like SQL injection.
If the web users need access to data within a database, it is ideal to configure a database for the web server, which is only read only to the web user or web server process. Any write to the database for the web server should be only from the protected internal database server. It the user input from the web pages is need to be stored inside the database server, all the server-side scripts and the SQL queries should be tested and verified thoroughly for any vulnerability and all the inputs should be validated at client-side and also at server-side to prevent attacks like SQL Injection.