A. Below are points to be aware of
- Disable the creation of Admin shares (see How do I stop the default admin shares from being created?)
- Use NTFS and remove Everyone access except for the directories that are part of the web documents, and for those directories only have Read access. If Everyone access is removed from folders which contain executables that run services or which data is written to by the system, System access should be added to those folders; otherwise, logs will not be written, and services will not be restarted if they are stopped.
- It is possible to disable TCP ports on NT, and you could restrict the NT server to only accept packets on port 80 (web browser). This is discussed in "Is it possible to protect against Telnet attacks?"
- If the server is part of your internal intranet use a firewall
A good paper from Microsoft can also be seen here.