We recommend that Microsoft IIS (Internet Information Services) should only be run by experienced users and Computer Officers on modern Windows servers (Server 2008 R2 or later). IIS can be quite a complex product to configure, maintain and keep secure, particularly if the site includes a lot of server-side scripting. While IIS is also available on desktop versions of Windows we do not recommend that it is used by most users.
If consultants are involved in the initial setup of an IIS server, then note should be taken of the Guidelines for External Service Providers, Consultants and Contractors recommendations promulgated by the IT Syndicate. The security points are important since IIS servers remain a popular target for hackers, particularily in an open environment like Cambridge. IT personnel should assure themselves of the security of such servers on a regular basis. As the aforementioned document says:- "Security breaches are dealt with by CERT (the Cambridge Computer Emergency Response Team) in conjunction with the relevant specialist group such as Windows-Support and Unix-Support. In the event of a security breach, CERT will expect to communicate with the local Computer Officer to establish the extent of the compromise and to take remedial action."
If you are not confident that you know enough about IIS to handle such a situation then suitable training should be sought.
Apache remains a viable cross-platform alternative to IIS: much the same security considerations apply to both.