Best Practices
The OS must be secure on a Windows 2000 server hosting the IIS service. If the OS including its services, user accounts, files system, or registry is not secure, IIS is susceptible to all vulnerabilities caused by the poor OS security configuration.
Weak authentication configuration can lead to the compromise of a user s domain account and password. By enforcing strong authentication methods be they integrated Windows or certificate based methods you provide the strongest protection of user credentials.
Implement a combination of NTFS and Web site permissions that provide the minimum permissions required to access a Web site. Do not assign excess permissions because this reduces the overall security of the Web site
SSL ensures that all data transmitted between the Web browser and the IIS server is encrypted. SSL also protects weaker forms of authentication, such as basic authentication, by encrypting the weaker credential information as it is sent to the Web server.
Implement the IIS Lockdown tool and the URLScan filter to configure IIS services, enable script maps, and apply additional security to an IIS server.