Secure > Enhance site security
Security consideration for the Internet Information Services (IIS) Web server
If you are using the IIS Web server with WebSphere Commerce, be aware of the following security consideration and take the recommended action to minimize any security exposure of the WebSphere Commerce data.
For the IIS Web server, read permission on a Virtual Directory provides access to the source code of JSP files. In order to prevent download of the JSP source code, you should must physically separate the static content from the dynamic content of the Web pages, if you are using the IIS Web server. This is because IIS security is based on directory location, rather than file type. Under the default IIS configuration, the image files and JSP files are located under a single alias. You should use the default configuration for testing purposes only.
By default, files in the META-INF and WEB-INF folders for each WAR can be served directly to a browser. It is the responsibility of IIS Web server administrators to .mplement access control preventing the serving of these files
To secure all Web assets, the dynamic content must be accessed using a Virtual Directory with execute-only (not read) permissions while static content should be moved to a different Virtual Directory with read-only permission. For further information about setting permissions on a Virtual Directory, see the instructions in the IIS help information. It is also recommended that you consult Microsoft Corporation's current documentation on security patches and configuration policies.