I'm looking for security solutions for my web servers from within the web service level. Is there any software that can run on top of IIS in Windows? Further, are there any best-practices that web administrators follow to secure their servers? (ASP.NET, IIS6 or IIS7, and server 2003 or 2008 supported)
I've heard of application firewalls such as dotDefender, but it's costly. I see this as an extra level of security that could help stop intruders breaking not so well coded sites.
URLScan 3.1 is available for IIS version 5.1 and later (XP, 2003, 2008) and can be downloaded here in both x86 and x64 versions.
When using URLScan, I would highly recommend installing it as a site filter instead as a global filter if you have multiple IIS sites. This will allow you to use strictest configurations as possible while still being the most flexible for sites or applications that require it. Read the URLScan Setup document for information on how to do this.
What is it that you're hoping to accomplish? Most security on the site itself is handled via web site permissions, NTFS permissions, and/or internal application authorizations. Beyond that you're really looking at a full out firewall or web proxy.
If you are running Windows Server 2008 there is no need for installing an additional firewall. It already has a very defined firewall which can also be configured from the command prompt.
Web Servers should also be behind a controlled set of hardware firewalls which should allow additional restrictions to ports and IP addresses. Since you are a MS shop you may want to look at ISA as well.
configure your NTFS permissions like squillman said.
Good luck!
Additionally, IIS 7 comes with request filtering also recently release URLScan 3.