Free Checklist for Auditing Web Servers

Verify that the web server is running on a dedicated system and not in conjunction with other critical applications.
Verify that the web server is fully patched and updated with the latest approved code.
Determine if the web server should be running additional tools to aid in the protection of the web server.
Verify that unnecessary services or modules are disabled. Running services and modules should be running with least privileged accounts.
Verify that only appropriate protocols and ports are allowed to access the web server.
Verify that accounts allowing access to the web server are managed appropriately and hardened with strong passwords.
Ensure that appropriate controls exist for files, directories, and virtual directories.
Ensure that the web server has appropriate logging enabled and secured.
Ensure that script extensions are mapped appropriately.