Recommendations for securing Internet-facing IIS Host?

Question

I'm setting up an Internet-facing ASP.NET MVC application, on Windows 2008. It uses SQL Server 2008 for its database. I'm looking for best-practices for securing it.

I found this article, but it's a bit dated now. How much of that advice is still valuable?

Some background -- it's a personal site, behind my home NAT/firewall box; and I'll only forward ports 80 and 443 to it. The IIS server itself is a Windows 2008 host running on HyperV (I only have one physical box to spare).

One useful thing that's mentioned in that article (which had occurred to me already) is that the IIS box shouldn't be a member of the domain, so that an intruder can't easily get off the box. I'll be removing it from the domain in a moment :)

What other tips should I (and anyone deploying to a bigger environment) bear in mind?

I know that this isn't strictly a programming-related question (there's no source code in it!), but I guess that most programmers have to dabble in operations stuff when it comes to deployment recommendations.

Answer 1

I don't know about removing it from the domain, but I'd certainly disable LanMan hashes, keep the system fully patched, and use good password security. Make sure that any processes running in IIS run from least privileged accounts, i.e., don't run the worker processes under IDs that are in Local Administrators.

Answer 2

You might take a look at these two tools: Best Practices Analyzer for ASP.NET

SQL Server 2005 Best Practices Analyzer (even though you are using 2008, still might be of help)