Our company has recently leased from Lunarpages a dedicated Windows Server running Windows 2003 Standard and SQL Server 2005 full version. Our intention is to move a functioning business critical .NET Web Service application from a "managed" server at another hosting company to this new server. I am discovering that "unmanaged" means much more than I originally had anticipated.

The very first time I logged into the new Server, before even uploading any files, I discovered that the server had already been "compromised"... which was verified by one of your technicians. He had to totally rebuild the OS and re-install the programs. My question is, what steps do I need to take to "secure" the server yet still allow our web services to run. At our home office I have installed a hardware firewall/antivirus solution in addition to software AV on all the servers and workstations. But, I have never been tasked with securing a remote Web Hosting, and in our case, Application server.

I have already installed Grisoft AVG for Windows server antivirus software because I noticed it was being used on the other hosting company's "managed" server. But then in PLESK I noticed that there is a DR.Web antivirus program running that does not show up in Control Panel. As of this time I do not know how to access it's logs or scheduled scans. The response I get to any questions about that is "read the PLESK documentation".

The next question is about what firewall software should be used for a Windows web server. I am posing that question here and will also research the Microsoft literature. For now I will just enable Windows Firewall and hope that it doesn't immediately cut off my Remote Desktop connection, which I have set up without using PLESK.

That brings up another question. I am considering installing a program called SecureRDP freeware by a company called 2X. It will restrict access by Remote Desktop to a limited number of defined remote IP addresses. I am hoping that it will not , however, restrict access by the Lunarpages technicians, in case I need their help. Has anyone else used this software or know anything about it?

My other option is to set up VPN access to the Server and then requiring remote desktop to connect only through the VPN. I am concerned that unfettered access via RDP might be a security concern. At our home office we use non-standard ports for Terminal Services, because we have seen evidence of hackers trying to access port 3389, such that a number of times some of our Logins accounts have been suspended due to repeated incorrect logins. We have a very small staff here, so it is unlikely that the staff members themselves were responsible for the faulty logins. However, in this remote server situation, if I change the port then , once again, it might become difficult for Lunarpages techs to connect to our server.

So I reiterate, does anyone have some answers or suggestions for my concerns about properly securing a remote Windows web server. Thanks all...

Thanks for the info re: IIS Lockdown and File/Folder security permissions. I have implemented some of the measures you have mentioned and will follow through on the rest. I have set Microsoft Update to apply patches and reboot (if necessary) at 3AM EST. I know the reboot is not a good thing for a web server, but advertising the fact that the service may not be available for a few minutes each night is not the worst thing. If the service catches on we can always go to a mirror server failover I suppose.

Thanks again...