Windows IIS server hardening checklist, General
General
Do not connect an IIS Server to the Internet until it is fully hardened.
Place the server in a physically secure location. Do not install the IIS server on a domain controller.
Do not install a printer.
Use two network interfaces in the server -- one for admin and one for the network. [Technically it's poss Install service packs, patches and hot fixes.
Run IISLockdown run on the server.
Install and configure URLScan.
Secure remote administration of the server and configure for encryption, low session time-outs and account lockouts. Disable unnecessary Windows services.
Ensure services are running with least-privileged accounts.
Disable FTP, SMTP and NNTP services if they are not required.
Disable Telnet service.
Disable ASP.NET state service if not used by your applications.
Disable webDAV if not used by the application, or secure it if it is required. (See How To: Create a secure webDAV Publishing Directory at support.microsoft.com.) Do not install Data Access Components unless specifically needed.
Do not install the HTML version of the Internet Services Manager.
Do not install the MS Index Server unless required.
Do not install the MS FrontPage Server extensions unless required.
Harden TCP/IP stack.
Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445).
Reconfigure Recycle Bin and Page file system data policies.
Secure CMOS settings.
Secure physical media (floppy drive, CD-ROM drive
