First, get Microsoft Baseline Security Analyzer and run it on your system.

Then, go to this site:

http://www.microsoft.com/technet/Sec...s/default.mspx

And download and run the tools to harden your IIS. The lockdown and URLScan tools are a great help. After you go through this, run a port scanner like nmap against the system to check the open ports. This site also has numerous other resources--tools and documentation--that will help you make your site secure.

It goes without sayng that this all assumes that you have installed an appropriate anti-virus program and are setting this up behind a firewall, if possible.

In the IIS configuration, you might want to look into changing the default document names from index.asp, default.asp or whatever to something like MyIndex.asp, or MyDefault.asp, and renaming your default documents in the web site to match. This helps to take the teeth out of some of the defacing attacks.

Your best bet, of course, would be to upgrade to Win2k3 and IIS 6.x, but with the appropriate diligence, vigilance, and care and feeding of Win2k and IIS 5.x, you might survive a while yet.