Hi
some days ago i wrote this post
IIS 8 Hacket permission security
http://forums.iis.net/t/1219136.aspx?IIS+8+hacked+permission+security
today i read about other issues and find this
How i do prevent AspxSpy
http://forums.iis.net/t/1167066.aspx?How+do+I+prevent+AspxSpy+
These two post explain the same problem about IIS security in relation to aspx page or php page
The problem is that an hacker after upload a specifc code (aspx or php language) can elevate their privilege to very high permission.
So is not important if you have follow all IIS guide for security host environment (for example separate user, separate app poll, file system permission etc..).
Unfortunately is not simple to get contact with microsoft people that can really check the situation and provide us (web hoster) a solutions.
Please if anyone here is able to make an escalation, really do this job. (i can provide to ms tech support the php code that i found on our server)
thanks
Roberto