How to lock down a Windows 2008 Server before connecting it to the internet

We're a very small company, about to install a new server at a colocation company. The plan is to install the OS, SQL, and IIS, test it, then courier it to the hosting company. It will then presumably appear online, ready for further set up. We plan to manage it over RDP.

Last time we went through this process, we were using Server 2003, and the IPSEC admin was something of a grind.

Is it any different with Server 2008? Is there a quick way of restricting all access except that originating from a couple of IP addresses?

Would appreciate any pointers, or a good idiot's guide to securing Server 2008 for non-experts.


Basics: Updates, Firewall, secured Admin account (renamed, very good password). Then get the Best Practices Analyzers for SQL, IIS, and Server; run them and see what their recommendations are.


I would recommend running the Security Configuration Wizard (SCW) and configuring it accordingly for the installed roles and for your remote management needs.