To elaborate, some of the things I have done on IIS web servers are:
1. URLScan to block SQL Injection -
http://technet.microsoft.com/en-us/security/cc242650.aspx2. Remove unnecessary modules on IIS like SMTP, FTP & NNTP.
3. Ensure Windows Firewall is on, blocking all but port 80 and 443 (if using SSL) - but also make sure the server is behind a physical firewall (in case the software firewall fails)
4. Run each website and each application in it's own application pool and designate a user to each, restricted to it's own app pool.
5. Disable all unnecessary users and if possible, keep the server off the Active Directory domain - I keep all web servers in a workgroup.
6. Stick all web servers in a DMZ on a separate subnet to your SQL and back-end servers.
7. Enable auditing in the local security policy and establish a regular routine of monitoring event logs.
8. Use Microsoft Log Parser to pipe all IIS web logs into a SQL server db and run regular queries over the table to look out for suspicious activity:
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en9. And finally - pay a 3rd party to regularly pen test your server! You can find a host of cheap providers out there and it's always worth having someone else pen test as they may find holes you may overlook. I can highly recommend our Cisco provider who pen tests us:
http://www.giss-uk.comI hope this helps!
