Ed I am not quite sure where that comment came from. 

In all my time, I have never had a single person come to me and tell me that they have 'lost respect' for my comments.  In fact when I posted on my blogs, I spoke in detail with Cathal about it and as someone involved in security, and as part of the core team at the time, it was never raised, nor was I questioned or asked to remove that post or I would have.  I sought advice from people I respected prior to making comments public.  But let's get real about this, that module caused problems.  And less than a month ago, it caused problems for me as I acquired a handful of clients who had been sitting on server, with that exact module - like a time bomb, not patched, even though I was assured it had been and unfortunately didn't check as I trusted the information to be true, and honestly who would think that anyone would knowinlgly not patch somethinng if they knew there was such a problem..

..... Less than 1 week on my server and it was hacked.. I was furious...it still lives to haunt us.. and it was like reliving the whole thing over again, but this time, due to changes in our configuration, it was very difficult for them to do mass damage.

My server is doing over 250gb per month in traffic, with hundreds of dnn sites, and I've managed to keep it clean until that moment of 'trust' let me down. I have a list of modules that will never see the light of day on my server due to their performance and in this case security, but that's just doing due diligence and ensure my servers continue to perform as the client base grows.

My guess as to why these sites get hacked are because they are running the modules, or the control panels that get hack attacks on a regular basis. When using a control panel, when one site gets hit, you can bet your bottom dollar every one will be, since often it's the control panels that have the vulnerability too, not just IIS.   It happens and in spite of it happening, I've never blamed the dnn product, just the crap module that caused the problem in the first place.

In spite of my 'tough love' attitude, I've still worked hard at participating in the community but at a different level and certainly don't feel any 'loss of respect'... more like sour grapes from some people, but hey that's life isn't it.

On a lighter note Ed I'd like to say thanks for the .... she has a lot to offer...  which means you're talking in the present tense so not all is lost is it..  I've just released my new dnnskins site - http://www.dnnskins.com - all the free skins I had access to - tested, installed, updated, packaged, available for preview and available for download and will be sending out email to the culled list of over 60,000 subscribers (with duplicates removed)  I lost about 12,000 in the purge, but I still think that's a respectable number of subscribers who have logged into my sites, downloaded something for nothing to learn from and hopefully make less mistakes than I did. 

But thanks for the positive note... always nice to read..

 Nina Meiers
 Lots of free skins.. Really there is  

It's neither a DNN nor an IIS issue.  It's an IIS administration issue.  If anyone or any app can write to your root folder, you have either the wrong NTFS permissions on the site or a password that someone else knows.  It's also possible you have not patched an aolder IIS version.  And if you have a problem with Default.htm being higher in the default document list than DNN's Default.aspx, then you have a poor IIS admin who hasn't edited the default document list appropriately.  Since DNN only needs Default.aspx, you don't need anything else in that list.

For help on securing IIS, see the forums at www.iis.net.  And start by flattening the box, reinstalling from scratch and only restoring known good data.  Reuse none of the passwords.

Jeff