I can't begin to count the number of file system-related security holes that never became a problem on my systems. For example, older versions of IIS were known to expose sensitive information through the use of a URL that ended in a period or a "::$DATA" suffix. In addition, Microsoft Office 2000 has a problem where applications incorrectly exposes hidden drives to users that should not be exposed to such resources. None of these problems affect an adequately protected Windows NT computer system.

So how to you introduce adequate protection? By assuming the worst case scenario and setting permissions accordingly. For example, you can certainly hide a drive from users, but you already know that obscurity offers very little security if any at all. Therefore you must establish strict access permissions for the hidden drive to ensure only authorized users can access the data in the event that it is discovered.

Likewise, similar logic can be applied to Internet Information Server (IIS) and other Web server platforms that support the use of embedded code for server-side processing, such as Microsoft's Active Server Pages (ASP) technology on IIS. ASP lets developers embed application code for specialized server-side processing, such as performing database queries against an SQL Server. You probably don't want users viewing your SQL query code, because it may contain sensitive user credentials that are needed to connect to a given SQL Server.

To protect your Web code, put the code in a directory that disallows Read permission to Web site users. The Read permission settings blocks IIS from sending the code to users unprocessed, which prevents unwanted eyes from seeing that code. By doing so, not only can you prevent the IIS risks I mentioned previously, but you will simultaneously guard against any future vulnerabilities of a similar nature.

Be sure to inspect your file systems carefully to ensure the strictest possible permissions have been set. And remember to work from a worst case scenario viewpoint when deciding what permissions to apply to disk drives whether those drives are hidden or not