Joel Dubin, independent security consultant and author of The Little Black Book of Computer Security, explains “any application or data servers should be separated from the web server by a firewall. In other words, the web server should be in a DMZ and any other server it connects to should be inside the company firewall. Second, the same hardening rules of any other server should apply to a web server: restricted administrative access, close any open ports, turn off unneeded services, keep patches current and make sure the web site isn't in the root directory.”
That said, within a corporate network there may be rogue web servers that are not deployed or controlled by the actual web server team. Older versions of the Microsoft Windows operating system, such as Windows 2000, actually enabled the Internet Information Server (IIS) service by default, creating web servers that the users did not even realize existed. Hopefully the web server administrators have done their jobs, but it is still prudent to perform a more in depth review and ensure that sensitive data is not available via the web.
