WebKnight is a very popular and open source WAF for IIS. WebKnight blocks known exploits and 0-days by detecting HTTP protocol violations and by limiting parameters sent to your web application. Scanning for the OWASP Top 10 attack signatures and a lot more that we've seen since the year 2002 when we started this GNU GPL project.

ThreatSentry is a Web Application Firewall and Intrusion Prevention solution that helps system administrators improve web application security and comply with regulatory demands such as Section 6.6 of the Payment Card Industry Data Security Standard. ThreatSentry 4 supports Windows Server 2008 R2 and IIS 7 on 32 and 64 bit systems. An ISAPI Extension hosted in MMC, ThreatSentry’s knowledgebase of pre-configured filters is designed to identify and block a broad range of web application threats...

With AuthXt, you can extend your web server's functionality with a custom authentication mechanism. You can password protect any type of resources on your site (directories, videos, images) authenticating users against different type of back ends.

Web applications are at the center of business online and are constantly threatened by common threats like SQL injection, XSS, and new, unknown zero day threats. Not only is ServerDefender VP’s host-based application security powerful, it's easy to use with slider controls to strengthen and loosen security policies. ServerDefender VP Web application firewall for IIS is designed to provide protection for websites and applications running on the Microsoft IIS Web server by blocking Web attacks....

A Windows GUI for managing SSL ciphers and protocols. If your web site handles credit card transactions and must comply with PCI requirements you must disable weak protocols and ciphers in IIS (such as SSL V2). This tool makes it very easy to do, saving you time and worry.

A UI module for IIS 7 that installs a user interface for configuring client certificate mappings for IIS