IIS and SQLServer Hardening

The Center for Internet Security Benchmarks tend to be my go to source for hardening advice. They will, of course, need to be tailored to your environment, but I have found them to be fairly general purpose and easily modified. On the linked download page you will find both IIS and SQL Server documents.

As for the other half of your question, it seems like you're asking for additional hardening advice on the underlying operating system. If so, then see this question as a starting point - Windows Hardening. If that does not fit your needs, then I would suggest formulating a separate question specifically on that topic.

While hardening the underlying layers is good, you also need to be concerned with the web applications as well. The metrics that I've seen seem to indicate that compromises are shifting away from the OS and servers and focusing on the web apps themselves. So don't forget to look into that as well.

Another good resource can be found at the NIST National Checklist Program Repository. Available here are a bunch of baselines generated with the MS Security Compliance Manager Tool which can be used to quickly and easily measure a given config against their baselines. Baselines exist for many different MS techs.

If automation is valuable for you, I believe that the automated tool for checking against the CIS benchmarks may only be available for members who have paid some pretty significant fees.