First let's look at this graphic to identify your vulnerabilities [graphic courtesy of Microsoft]

As you can see, there are two types of threats to your organization:  Human and Natural Disasters.  Also notice that threats from insiders and ignorant employees pose just as much of a threat as outsiders like Crackers and Hackers.  Ignorant employees can open up emails that contain viruses that can erase files, harddrives, open up back doors, etc.  Insiders can maliciously delete files, or other destructive behavior that can be very harmful to your server.

But we're here to talk about hosting a web site.  The threat from outside attacks is minimized best by not hosting a site inside your server at all.  There are many outsourced web hosting sites that will easily and cheaply host your firm's web site.  A few of them can be found here.  Some even offer SQL database access.  If you have a "static firm brochure style" of web site that doesn't need a lot of dynamic updating, choose the outsourced web hosting option.  You can still have your ISP point your email to your server [called MX records] while they host your web site.  For $20US a month or less, you can keep your port 80 closed up tight.

Keep it closed - don't host a site.

Why do you want to keep port 80 closed up?  A port is like an open window or door in your house.  When you want to secure your house, you don't leave the front door open do you?  The same it true for that port 80.  The number one attacked port on the web is port 80.  The top ten targeted ports can be found here.

In July of last year, Code Red, a worm came into unprotected, unpatched servers that had port 80 open and were running IIS.  Guess what......SBS boxes with port 80 open were prime targets for Code Red.  Unsuspecting SBS box owners came and found their boxes infected.  Now the "big guy servers" with IIS on a separate server just take that IIS server offline.  But us SBS'ers can't do that.  Thus....understand carefully...when you host your own website you are on the worm/hacking/virus frontlines.  YOU will be the ones telling the rest of us of the attacks that you are being hit with.  Code red required NO action by a server owner, all that was needed was a running IIS server and an open port 80 to be infected. 

1.The "Code Red" worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found. Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service described in CERT advisory CA-2001-13

2.The same exploit (HTTP GET request) is sent to each of the randomly chosen hosts due to the self-propagating nature of the worm. However, depending on the configuration of the host which receives this request, there are varied consequences.

IIS 4.0 and 5.0 servers with Indexing service installed will almost certainly be compromised by the "Code Red" worm.

According to the SANS top 20 vunerabilities - http://www.sans.org/top20.htm "legitimate users and attackers connect to systems via open ports. The more ports that are open the more possible ways that someone can connect to your system. Therefore, it is important to keep the least number of ports open on a system necessary for it to function properly. All other ports must be closed." Please visit that link for ways to test for open ports.

But keep in mind that any administrator who had applied MS 01-026 and MS 01-033 security patches to your servers in May and June when they were first released, you would have suffered no damaged and been fully protected.  Those who were not patched suffered damage to their servers during a short period of time.

If you MUST host a site.

If you must - for business purposes host your own web site - try this recommendation from Steve Foster, SBS MVP:

"If you really want or need to host several web sites on an IIS server, you'd be much better off building a separate standalone Win2K Server server and placing it in front of the SBS server. Your life will be so much easier, and you'll be able to sleep at night :)"

It is preferable to separate that IIS away from your main box.  Again...the example from Code Red...if all of your eggs are in one basket ...well you get the drift.

I have read that when a vulnerability is announced through the Microsoft Security bulletins you have 48 hours to patch your server before that vulnerability begins to be exploited.  Therefore, sign up to all major security bulletins and patch yourself within 48 hours.

Have a tape backup.  Test that tape backup.  Make full nightly backups and have a good offsite rotation scheduel in place.  The recommended procedure for fully getting rid of Code Red on an infected server is to reinstall.

Systems that have been compromised by this worm should be removed from the network and the software and data reinstalled as specified in the guidelines drafted by the CERT(r) Coordination Center - available at
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html. Customers should apply the patch discussed in MS01-033 to the restored system to prevent future vulnerability to this attack.

That's right....in order to remove Code Red from your server ....you MUST reinstall that entire server.  And if you have a mirrored drive...that mirror is infected as well.  Code Red is just an example of the types of worms that are out on the Internet today.  These cyberattacks are not going to diminish.

Configuring alerts to notify the administrator through email.:
http://www.isaserver.org/authors/magalhaes/tutorials/Configuring%20Alerts.htm

ISA Server Security Checklist - Part 1: Securing the Operating System and the Interfaces:
http://www.isaserver.org/shinder/tutorials/isachecklist1.htm
ISA Server Security Checklist - Part 2 Securing the ISA Server Configuration:
http://www.isaserver.org/shinder/tutorials/isachecklist2.htm

If you have to absolutely must host your Web on your own SBS box

For all the reasons listed above and more...this is really NOT recommended.  But if you truly MUST or you are going to use it for "play" purposes, then it would be my humble recommendations to become very informed about the inner workings of ISA server and consider a third party add on to fully track attacks in real time. I would also become proficient at hacking your own server to ensure what vulnerabilities you do have.  Mariette's tips regarding the issues with OWA should be reviewed along with the IIS Lockdown tool, the URL Scanning tool and every thing else mentioned in Mariette Knap's SBS2000 security site.  Also plan on changing your passwords often and make them hard to "crack" by making them long and alphanumeric.

Some more links for information:

How to Maintain a Secure SBS Installation:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q303323&GSSNB=1
 

SANS Newsletter Subscription:
http://server2.sans.org/sansnews

The Computer Security Institute:
http://www.gocsi.com/

More security links:
http://www.gocsi.com/links/lore.html

Center for Internet Security:
http://www.cisecurity.org/banner.html
 

eEye Digital Security:
http://www.eeye.com/html/Research/Advisories/
 

SecurityFocus Corporate Site:
http://www.securityfocus.com/

Black Hat Briefings, Training and Consulting Security home page:
http://www.blackhat.com/

PhreakNIC5:
http://www.phreaknic.org/

DEF CON:
http://www.defcon.org/

DEF CON:
http://www.defcon.org/book-list.html

.:[packet storm]:. - http://packetstormsecurity.org/:
http://packetstormsecurity.nl/

Hacking Exposed Windows 2000:
http://www.hackingexposed.com/win2k/home.html

Hacking Exposed Windows 2000 Links:
http://www.hackingexposed.com/win2k/links.html

Disclaimer:  I am NOT an expert in Security, nor do I claim to be one.  I am an individual member of the Center for Internet Security and subscribe to many of the newsletters listed.  The worst Security vulnerability is not understanding that you are vulnerable.  If you don't fully understand the risks, you are not prepared to open yourself up to the risks.  Use all advice at your own risk.