CYA: Securing IIS 6.0: Cover Your A** By Getting It Right the First Time

Include files are a convenient way of storing commonly used HTML or code. The code or HTML is placed into a central file, and then included with every file that requires it. This improves the maintainability of your web applications because changes to the contents of the include file are reflected immediately in every page that includes this central file.
Include files use directives (pieces of code) included in web pages. IIS 6.0 provides three technologies that support server side include (SSI) directives. Files with .stm, .shtm, and .shtml extensions are processed by the SSI web service extension. ASP files (.asp) can also contain include directives. Finally, ASP.NET pages can also contain include directives. However, there are alternate ways to include content in ASP.NET pages (for example, user controls) that are superior to using include directives.
Since include files are now often used to centralize web application data and settings (such as database connection strings), it is important that any include files you do have are secured against malicious attackers.
If an attacker was able to determine the name of your include files, he or she may be able to directly request the include file. A common way of finding the name of an include file is by attempting to generate an unhandled exception (error) in your code. If the error occurs in an include page, then the default ASP error page that is generated includes the name of the include file (as...