Protecting the Webserver

This all depends greatly on how much protection you need and how much money you have.

The first thing I'd say is to make sure you have all patches installed and that you've configured the machine as per the MS Knowledgebase article on configuring IIS servers (http://www.microsoft.com/technet/security/tools/iis5chk.asp).

Next, consider getting eEye SecureIIS (www.eeye.com).  This product is pretty inexpensive (a few hundred $'s) and protects against buffer overflows, malformed URL attacks, Unicode attacks, and a few other nasties).  If you have a bit more money, you might consider instaed Sanctum AppSheild (www.saanctuminc.com), which also protects against application level attacks (cookie modification, url modification, hidden field modification, etc).

For firewalls consider...
  Free
    - OpenBSD with IPfilter
    - Linux with IPtables
  Inexpensive
    - Netscreen
  Expensive
    - CheckPoint Firewall-1
    - Cisco PIX

Proxy the server out.
Get it behind H/W firewall.
Do not 'share' IIS S/W with any other service - the sql should also be elsewhere.

Check out topic DMZ on Microsoft web - see what is it you can afford to do.

If you/company do not know, then contract it out (there is learning curve to maintaining these things, even if you can afford them) - better safe than sorry

Move your desktops away from the server (subnet)

Linux cost a few hundred, by time you get CD, a handmedown old computer, and some time to install/configure. It is also one of most popular firewalls.

Consider switching to Apache - join the majority. Switch out IIS. You can also switch in to MySql. I think it and apache are both available for NT, and free, and that would allow for an OS switch later, that is not to XP.

About an HW and linux based firewall, take a look here:

http://www.watchguard.com/products/firebox.asp

alternatively You could use a proxy, but this will cost
You bucks for the Proxy SW (say e.g. ISA) and for the PC
used to run it, that's why I suggest to take an HW firewall

When You sum costs You'll see it's cheaper

As a last note:

A firewall doesn't guarantee You the absolute security,
if You don't patch Your server (see my prev comment) and
if You use a weak security policy the firewall itself
can't protect You since someone could break through one
of the exposed ports (say HTTP - 80) and bypass the FW.

The firewall is there simply to reduce the exposition of
unwanted services to the internet and to allow You to
expose services on a "local" base onto a DMZ, for example
You could have a SQL Server machine into the DMZ which is
reachable by Your web server (DMZ) but not visible from the
internet.

Hi,

Use your router as firewall and put some acceslist and put some ristricted access and configure that acceslist which will mkae your internal network secure against DOS/DDOS and other mal finction this will be low cost solutions right now or pther thing is you can pur Linux server with IPCHAINS(firewall) which will again give you two layer security for your servers.

Any questions let me know.

thanks