Hi
I am new to IIS 7 security so please have patience with me :)
I am writing a ASP.NET web application hosted on IIS 7(.5) that will serve files located on a file server to the users. The web application is hosted on a different web server, but has network access to the file server.
Users accessing the site will be authenticated by the local active directory, and the files they can download through the web application is controlled through NTFS ACLs on the file server. I assume that IIS will have impersonation enabled to make this scenario work.
My web server will/can be located in a DMZ but be visible to the outside world, with the file server on the internal network and necessary ports open in the firewall to make a connection between the two servers.
Should the web server or my code be compromised in some way, what are the possibilities for an attacker to get access to other servers, including the file server, and data located in the internal network?
I know its a broad question, but I am hoping some of the security savvy here on SO can provide some advise.
Best regards, Egil.