Access control policy

Write down your access control policy, and implement access control in a centralized module

IDs

Do not use any IDs that an attacker can manipulate

Back ups

Back up often and keep your backups physically secure.

Physical security

Keep your Web server computer physically secure so that unauthorized users cannot get to it, turn it off, or take it.

Windows NTFS

Use the Windows NTFS file system, not FAT32. NTFS offers substantially more security than FAT32. For details, see the Windows documentation.

Strong passwords

Secure the Web server computer and all computers on the same network with strong passwords.

Secure IIS

Secure IIS. For details, see the Microsoft Security web site.

Unused ports/services

Close unused ports and turn off unused services.

Virus checker

Run a virus checker that monitors inbound and outbound traffic.

Password policy

Establish and enforce a policy that forbids users from keeping their passwords written down in an easy-to-find location.

Firewall

Use a firewall. For recommendations, see Microsoft Firewall Guidelines on the Microsoft Security web site.

Security patches

Install the latest security patches from Microsoft and other vendors. For example, the Microsoft Security web site has a list of the latest security bulletins for all Microsoft products. Other vendors have similar sites.

Event logging

Use Windows event logging and examine the logs frequently for suspicious activity, including repeated attempts to log on to your system and an extremely high number of requests against your web server.