Hi Ivan,
It looks like the lucee site doesn't have any info on their wiki page about locking down for IIS, at least not here:
Basic security would be to restrict public access to the /WEB-INF/ and /railo-context/ or /lucee/ folders (to protect the admin).
We do this in our main iis applicationHost.config file so that it applies to all our sites automatically.
In the file's <rewrite> section add a rewrite map with ip's you want to allow, and then add a global rule below like this:
<rewriteMaps>
<rewriteMap name="Authorized admin IPS">
<add key="xxx.xxx.xxx.xxx" value="1" />
</rewriteMap>
</rewriteMaps>
<globalRules>
<rule name="Block Railo admin" patternSyntax="Wildcard" stopProcessing="true">
<match url="railo-context*" />
<conditions logicalGrouping="MatchAny">
<add input="{Authorized admin IPS:{REMOTE_ADDR}}" pattern="1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="Block Railo WEB-INF" patternSyntax="Wildcard" stopProcessing="true">
<match url="WEB-INF*" />
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
</globalRules>
</rewrite>
This will block access to WEB-INF entirely, and restrict the railo admin to only authorized ip addresses.
If your server was patched (OS and any web apps like wordpress) and didn't have known security vulnerabilities then the next thing to check is user uploaded content.
Never trust user uploaded content, make sure the user uploaded content is not in a folder that has any handler mappings enabled.
Also look into maybe moving your sites behind a WAF, using Cloudflare or Sucuri for example.
A lot of other things to check for probably but at least this should cover the basics for lucee/railo on IIS.
hope that helps...