What are the Security risks of giving write access to IIS_IUSRS group or custom identity account on the Document Root or a sub folder?
I was writing a security SOP and asking my app team to avoid writing anything with in Document Root or its Sub folder, but use a different folder out of Document Root. But wanted to know what the Community Members view was.
Couple reasons that popped in my head:
- If the files being written in DocumentRoot/Sub Folder becomes accessible over the web (more risk when the URL pattern is guessable).
- If there is any upload facility, end users can upload malicious asp/aspx files and execute in our servers. (i can imagine the asp/aspx page to do a lot of damage - unauthorized access of data/tamper the data/delete it)
thanks in advance