Chapter 9 covers a number of recommended hardening procedures. Here's a recap:
Secure the physical and network perimeter.
Prevent booting from anything but the primary hard drive.
Password-protect BIOS from changes.
Install and correctly configure a perimeter firewall.
Patch hardware, BIOS, drivers, and so on before installing the OS or IIS.
Install the OS.
Don't install to a domain or Active Directory unless needed.
Configure secure remote administration.
Install RDP (if used) to a high, non-default port.
Install IIS in a minimal configuration and then run the patch update.
Harden the OS by removing unneeded software and services.
Require strong passwords.
Enable account lockouts.
Rename the Administrator and Guest accounts.
Remove the Everyone and Power Users groups from "Access this computer from the network" user right.
Remove the Backup Operators group from "Access this computer from the network" user right, unless remote backup is done.
Change the Unsigned Driver behavior from Warn to Don't Allow.
Enable Message Text for Interactive Logon (just to defeat any brute-force logon tools).
Disable Logon caching.
Enable the "Do not allow the anonymous access of SAM accounts and shares" option (although this may disable some remote management tools).
Enable the "Do not allow the storage of credentials or Passports for network authentication" option.
Enable the "Do not store Lan Man hash value on next password change" option.
Change LM Authentication Level to NTLMv2, and refuse LM and NTLM (unless you need down-level clients to authenticate using Integrated Windows authentication).
Enable the "Clear virtual memory page" file option (although this will cause long shutdown and bootup times, so measure use against availability concerns).
Remove Posix as an optional Windows subsystem.
Restrict CD-ROM and floppy drive use to local logged-on users only.
Deny the Log On Locally right to all members of the IIS_IUSRS group.
Enable the "Interactive Logon: Do not display user info" option.
Remove DFS$ and COMCFG from file shares that allow anonymous logon.
Disable File and Printer sharing.
Install additional IIS features and modules as needed.
Minimize Protocol Listeners, components, handlers, handler permissions, authentication methods, providers, scripts, ISAPI filters, applications, MIME types, and other unneeded IIS content.
Use Feature Delegation to restrict the number of admins and what each admin can do.
Strengthen NTFS permissions.
Design IIS directory structure to support strong security.
Configure URL Request Filtering.
Configure Web site(s) to use only the IP addresses they should be listening on.
Add additional application pools as necessary to segregate unrelated Web sites and content.
Create custom web pool identity and anonymous accounts as desired to further harden IIS.
Remove unnecessary files, including temp files, scripts, and so on.
Empty the Recycle Bin and reboot the server.
Install only security-reviewed applications.
Conduct vulnerability tests against the web server to test settings and configuration.