You should secure the server (or servers) where you plan to install the Management Service and the Policy Distribution Service.
In addition to any standard security practices required by your organization, we recommend that you consider the following security measures. These measures do not need to be completed prior to installation, but delaying might leave undesirable openings in your corporate security.
Configure (harden) the server to deactivate all applications, services, accounts, and other options not necessary to the intended functionality of the server. The steps involved in doing so depend upon the specifics of the local environment. You should consult the appropriate section of the Microsoft Technet security Web page.
Limit access to trusted machines by setting up the directory and Internet Information Service (IIS) to use ACLs. The following articles provide information:
Remove the following default folders from the IIS installation:
IISHelp
IISAdmin
Scripts
Printers
Use IIS Lockdown Tool 2.1 to further secure your IIS installation. The tool is available at microsoft.com. Version 2.1 includes lockdown templates for the major IIS-dependent Microsoft products. Select the template that most closely matches the role of this server. If you are in doubt, the Dynamic Web server template is recommended.
Physically secure the server to prevent access by unauthorized individuals. You should take measures appropriate to the risks involved and your organization’s requirements. There are multiple available standards and guidelines available, including NIST recommendations, HIPAA requirements, ISO/IEC 17799, and less formal collections of recommendations such as CISSP or SANS guidelines. Even when a given regulatory framework is not applicable, it can still act as a valuable resource and planning guide.
Restrict network access to the server. You might consider using your firewall technology to 1) restrict incoming connection attempts to the ports and protocols from which a valid access attempt might be expected and 2) restrict outgoing connection attempts to the IP addresses, ports, and protocols to which a valid access attempt might be expected.