I'm running Windows Server 2008 R2 with IIS 7.0 and SQL 2008 R2 on the same box. The server is behind a juniper firewall and only allows port 80 traffic. This server is isolated and does not have any link back to my domain, it sits in its own workgroup in a DMZ. The IIS Server hosts a VB application that people on and off campus need to access. The VB application links back to demographic data hosted on the local SQL 2008 R2 server.
This server is kept up-to-date on all critical Microsoft security patches for the OS and related products. I monitor the server disk space usage and event logs. I log 5000 'sa' login attempts per day.
Any and all suggestions on how to keep this machine secure is appreciated.