When we install mojoPortal for a client, we take extra care to make sure the installation is a secure and optimized as possible. Some of the steps we take aren't typical of a mojoPortal installation, but they make the site easier to upgrade and more secure.
The and /Data/ directory is setup with Read/Write permissions for the web process user. All other directories are configured with Read permissions only.
The machineKey setting is pulled out of the web.config and placed in a separate file. This is done so that the changes to the machineKey are not lost during upgrades. The machineKey.config file contains a unique machineKey and great care should be taken to keep this file safe and confidential. If it is lost, all passwords for the site will need to be reset. Additional information on this process can be found here.
The mojoProfile.config file is renamed to mojoProfile-{SiteName}.config and the user.config is updated to instruct mojoPortal to use the new file. This is done to allow the site administrator to add or remove fields from the mojoPortal Profile system with out losing those changes on upgrade.
The user.config file has a few extra options added to it to aide with performance and security. Setting these options in the user.config allows for easy upgrades as the settings do not have to be reconfigured on upgrades. Also, Database Connection strings, which are not needed, are removed from the user.config.
The following options are set during the initial configuration of mojoPortal:
User.config File
Site Settings