If you are using the IIS Web server with WebSphere Commerce, you need to be aware of the following security consideration and take the recommended action to minimize any security exposure of your WebSphere Commerce data.
Problem: For the IIS Web server, read permission on a Virtual Directory provides access to the source code of JSP files. In order to prevent download of the JSP source code, you should must physically separate the static content from the dynamic content of your Web pages, if you are using the IIS Web server. This is because IIS security is based on directory location, rather than file type. Under the default IIS configuration, the image files and JSP files are located under a single alias. You should use the default configuration for testing purposes only.
Solution: To secure all Web assets, the dynamic content must be accessed using a Virtual Directory with execute only permissions (not read) while static content should be moved to a different Virtual Directory with read only permission. For further information on how to set permissions on a Virtual Directory, see the instructions in the IIS help information. It is also recommended that you consult Microsoft> Corporations's current documentation on security patches and configuration policies.