It's not the lack of a firewall that is a problem. It's all the security holes in IIS.
First, go to the MS website and get all the updates for IIS and install them. They are listed
here
Also get the IIS lockdown tool and run it. Turn off all the crap that you don't need. If you aren't sure if you need it or not, turn it off.