Security experience on how to secure Winnt +asp +sql Web site

web| Security | Site is some of my experience, I hope to be useful to you, but you know, absolute security is not. This is the reason for the existence of a network management. So. A rainy day is a good thing. But it is not an unwise to mend.
Please see my experience is.
1. Take a look at MS's security bulletin, which is preferred. Subscribe to the security technology magazine. (MS for FREE!) If it is genuine NT, it will have the latest security e-mail. ensure timely updating.
2. How big patches, must pay attention to the order, if installed system software, but also to be mended. (If you add the SMTP service later, you will also need to SP1, etc.), otherwise it may cause the old file to be overwritten.
3. Improve your security policy, or you can use Microsoft's security templates. There are some good automatic templates. Can be added automatically as needed.
4. Increase the audit strength, audit permissions relatively large operation.
5. Password changed on time. must conform to policy.
6. A number of security forums are often used. Such as: Green Union technology, demon Fox site.
7. The level of the account must be more points, if you can implement the function, do not give greater authority.
8. Remove the extra service. such as: (ftp,smtp,nntp,telnet) redundant scripts, examples. such as many script libraries in IIS, you can not.
9. Get rid of some dangerous commands. Do not share C disk.
10. Often look at the log, events.
11. Do not install remote administration of HTML.
12. It is best to install some hacker tools to simulate the attack. See if there's a problem.
13. Install the port scanning tool. See if there are any unused open ports.
14. Install some tools to prevent eavesdropping, remove some sniffer hidden in the port, and prevent the password data from being intercepted.
15. The best debugging-side management is remote administration. Password encryption policy is higher. prevented from being intercepted.
16. Modify some options with the registry. such as automatically displays the name of the last login.
17. Get rid of the administrator's default name. This can be more than a level of protection!
18. Password Policy ....
19. Security policy for passwords. The number of digits in the password is secure. This is weird. According to Ms Encryption algorithm. Only 14-digit passwords are likely to be safe. But in fact very few people can remember so many bits of password. But 14 bit. 7-bit passwords are more secure. (It's weird.) Microsoft engineers say that sometimes 7-bit is more than 10-bit insurance. Oh, the specific reason to say more complex. I'm giving my brother a lecture. Omit it.
20. Suggested password has letters. Digital. The case is composed of. It is best to add some characters such as! #￥% (). Can hardly be guessed.
21st. User name to change the default Admini ... , you can build a 14-bit long administrator name. You can use all the letters. This increases the level of protection.
22. Increase the strategy. Prevent the enumeration method to guess the account name.
23. Add to prevent 5 unsuccessful login, automatically locked account 20 points. Prevent the violence law from breaking through.
24. Establish a classified password policy. Don't use some built-in accounts. such as "sa".
25. Increase the password for the SA. It's best not to use him. Build an additional administrator account. Then build a classified account for each of your own databases. It is best to connect with him in ASP. This will ensure the security of other databases.
26. Remove some permissions. Ordinary users are not allowed to use more dangerous stored procedures.
27. Remote connections are not allowed for accounts other than administrators. Or add a named pipe.
27. If the ASP can use DSN, do not use the connection string. And take a pattern containing the files included in.
28 ..... adjourned