IIS Security Tips

by Hal Flynn Sept. 1, 2017 via Symantec

Know your web site -- Know you web site in and out. Know the function of every file. Know the ACL' of every file. Delete, rename, or quarantine every file you don't know. Know all the virtual roots and where they physically reside. Frequently open MMC and frequently produce directory listings. Frequently list the most recently changed files in your web root. Keep copies of your site offline on read-only media for base reference.

https://www.symantec.com/connect/articles/iis-security-tips