Few Common steps to Secure IIS 6.0 Web Servers

1. Disable NetBIOS over TCP in the TCP/IP Properties of the external NIC
2. Uncheck "Clients for Microsoft networks" and "File and Print sharing" from the external NIC of the Web server
3. Enable IPSec policies to restrict the traffic only coming to the port 80 or 443
   1. Create a general IPSec policy deny access from Any to Any for Any port
      
   2. Then create a specific IPSec policy to Allow access from Any IP to My IP on Port 80/443/Specific
      
4. Install the Security Configuration Wizard from the control panel and create a new Security policy. Run this wizard on the same web server which you are securing so that it can compare the current security settings with that of recommended. This can be done remotely but we recommend doing it locally. Select the "Web Server" role from the Installed ones. Unselect all others. Make the necessary changes to the services which are required. In the end, check the current startup mode for the services in comparison to the policy based startup mode. Change the startup for specific services before in case they are appearing wrong. This should be run with care and a lot of testing in a lab. Once you are confident that things are working fine in lab, role the same policy onto the production web servers.
5. Rename the local Administrator Account and Disable Guest account
6. Rename the IUSR_computername account to something else. Then Go to the IIS Console and right click the local computer and click properties. Then select "Enable Direct Metabase Edit" check box. Apply changes and edit c:windowssystem32inetsrvmetabase.xml. Locate "AnonymousUserName" using the Find feature in the test editor tool and change it to the new user name you changed the IUSR_computername to.
7. Move the IIS Logs and the virtual directories to the non-system directory to protect against the directory traversal attacks.
8. Change the NTFS Permissions to allow only specific users on the parent directory in which all files of a website are located.
9. Use SSL if possible

Workaround: Internal Links shown in SharePoint when published through ISA/TMG

During this issue you will observe that the internal SharePoint DNS name is used when the portal is accessed externally. For example: You have http://sharepoint as internal DNS name and you public FQDN is https://moss.domain.com

Now, when within the portal published through ISA/TMG on internet you will find that at few places SharePoint used http://sharepoint in place of https://moss.domain.com

To resolve this issue you need to do couple of things

1. Create an Alternate Access Mapping under http://sharepoint with an external URL as http://moss.domain.com
2. On the TMG, make sure you have the "Forward the original host header in place of the actual header" option is checked under "TO" tab
3. If you are using HTTP-HTTPS bridging meaning you have internal URL for SharePoint using HTTP but ISA/TMG are listening on HTTPS then in the web listener you created for the SharePoint rule, go to the properties and go to the connections Tab. Select "Enable HTTP connections on port 80" and select "Redirect all traffic from HTTP to HTTPS"

Once you do so, test it from a client machine on internet. The problem should be resolved.