Your thinking in terms of rebuilding the web server is correct. You should not loose sight of the reason for having a DMZ. The DMZ is there to protect your internal network. Ultimately you should plan on sacrificing the DMZ servers in the interests of saving the internal network servers.
Having said that, people tend to protect their DMZ servers so well that those are the ones that survive attacks and the iternal network servers get corrupted through other routes. This happened to us with MSBlaster. The DMZ servers were untouched but internal servers, particularly W2K ones, were infected.
David is right. Both the IIS Lockdown tool and the Baseline Security Analyser will give you a lot of what you require. I know the IIS Lockdown tool from having used it to verify our approach to locking down our IIS 5 server builds. We used it to check whether our locked down server complied with what MS recommended in the Lockdown tool and found that we had locked our boxes down even more than the tool.
The tool does the basic things like remove most ISAPI extensions, removes all unwanted stuff that is loaded with IIS such as (Samples, documentation, various virtual apps). It locks down exes and DLLs so that they cannot be executed by the anonymous impersonation account.
It doesn't move the web content onto a dedicated partition away from the C: drive. It doesn't disable extraneous services running on a server. It doesn't change certain registry keys which Microsoft recommended be set in their IIS 5 security template hisecweb.inf or set the policy for complex passwords.
I know that the Lockdown tool can be used with W2K/IIS5, am not sure, whether it runs with NT4/IIS4 but would assume that it does and know that it is incorporated into W2K3/IIS6 so you don't need it if you are deploying your web server on W2K3.
The Baseline Securtiy analyser will give you some idea of any possible vulnerabilities that you may have left once you've used the tool and added your own changes to the config.
