I have a win2k machine with Internet Information Server installed. I usually have my World Wide Web Publishing Service stopped, unless I'm developing against it. I've been running an evaluation of Sygate personal firewall which notifies me that a remote machine is trying to connect to Internet Information Server. So, 2 questions: Whats the reason or intent for remote machines connecting to Internet Information Server? Does it make any difference, from a security standpoint, whether my web publishing service is stopped or started?

It certainly does matter - with it on you have all the vulnerabilities switched on too as it will be responding to internet requests and probes.

First comes the probes for IIS - Then they try and find which version you are running - then they will typically try various exploits of known security holes - then they will execute various buffer overflow techniques part of the latter.

Motto is make sure you have all your security patches up to date but even so with Microsoft you never know!!!

Make sure you are running the latest version of IIS plus patches.

definitely keep the virus defs up to date as well, as viruses can propogate through port 80 (HTTP) as well... some of the more (and less) recent ones willa ctively search out vulnerable machines to infect