We are using WinGate as the firewall for the IIS server hosting this and the WinGate site.
Basically we have all the services turned off, Remote Control bound only to internal and localhost interfaces, and only port 80 open on external to the Internet.