Remove unused services to reduce security exposure.
Create and apply security policies to simplify the configuration of OS security settings.
Secure the system administrator account for an MSDE database instance.
Validate and restrict user input.
Enable logging of Web requests.
Enable SSL encryption of Web requests.
Enable Windows or Forms authentication for ASP.NET.
Use ACL or URL authorization to control access to resources.
Use trusted connections with SQL Server or MSDE databases.
In days gone by, there were primarily two types of applications: single-user applications in which presentation, business logic, and any necessary data handling all occurred on the client machine of the user; and client/server applications, which removed much or all of the data handling to a separate database server. Back then, security was largely a matter of making sure that in a client/ server situation, users made modifications only to data that they were authorized to change. The typical application developer seldom had to face issues such as denial-of-service attacks, port sniffing, and so on.
The Internet has changed all that forever. Applications that are exposed to the Internet are inherently vulnerable to a host of issues, ranging from attempts at stealing data to the defacing of Web sites to denial-of-service attacks. No matter what operating system or other software you run, that vulnerability will never go away entirely. Software is an imperfect science, and unfortunately, an operating system invulnerable to attack has yet to be created.
The good news is that most software, including Microsoft Windows 2000, Microsoft Windows XP, IIS, and Microsoft Windows Server 2003 can be made quite secure if you follow best practices (a recognized set of recommended procedures and policies) for security, such as keeping track of and installing security patches as soon as they are released. One of the remarkable things about security practices in our industry is just how many servers (both Microsoft-based and otherwise) are sitting out there exposed to the Internet, without patches installed that have been available for months, or even years!