Just after ranting against SQl Server port 1433 idiots here and here this time its about C:\Inetpub\wwwroot\ in production environments.
Now why not?
IIS4 and IIS5 install the root for the web in here. but IIS also installs by default some bad scripts, help, docs and other bad stuff.
While for development environments it's acceptable since VS.NET 2002/3 use it as root, in production it's an absolute NO-NO.
By knowing this and IIS many vulnerabilities one can easily invoke and run those scripts to find out more about your webserver and machine.
Now what can be done?
1) move the root to another directory,
even better to another disk,
even better to a read only device like a CD player
2) Install the IIS lockdown tool to remove all excessive garbage
3) Install the URLSCAN tool to block bad requests
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp
remember the IIS checklist at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/iis/iis5/tips/iis5chk.asp