Do check out the Baseline Security Analyzer tool from Microsoft. Just download the MSI package from the page and install it with a shortcut on the Desktop (default). We ran it against a fresh Windows 2000 install with just SP2 installed. Here is a screenshot of the results. We are alerted to many security issues. A really cool thing about this tool is that it will explain what is wrong and point you to an article that for further details. Here is a screenshot of the explanation about the restrict anonymous warning. Be careful. Remember the fiasco where Microsoft brought up wehavethewayout.com and it was running FreeBSD? Well, MS changed the site quickly after the embarassing revalation; however, when they brought the site back up on IIS it was down for quite a while. Here is a less biased report. There are two things that come from this. First, you need to secure servers exposed to the Internet (duh!). All speculation, but we don’t feel the main problem was hackers when Microsoft brought the site back up. There was no defacement, as far as we are aware, and that would be the first thing somebody would do if they did compromise the server. We suspect, that the reason the site was down so long is that the application of security patches and recommendations made the server inaccessible to users that were not authenticated. Websites, at least this type, are viewed by everyone. If you use some wizard to warn you about security holes and blindly fix them, you could very well break things as well.