Within your Inetpub\wwwroot\<virtual_server> folder, you should have separate folders for:
Executable files (.bat, .cmd, .pl, .exe) Script files (.asp) Include files (.inc, .shtm, .shtm) Static content (.jpg, .gif, .htm, .html)Set the following permissions for Executable, Script, and Include file folders:
Everyone (X) Administrators (Full Control) System (Full Control)Set the following permissions for Static content folders:
Everyone (R) Administrators (Full Control) System (Full Control)Since the Inetpub\FTProot and the Inetpub\Mailroot folders usually require anonymous access for read and write, put these folders on a separate partition and set disk quotas for the Everyone group. This will alert you when the folder fills up from a denial of service attack.
To prevent your log files from being altered by intruders, set the following permissions on the log files in the %SystemRoot%\system32\LogFiles folder:
Administrators (Full Control) System (Full Control) Everyone (Read)