A little research on securing applications will yield many resources. You can find tutorials, how-to guides, and complete reference works with detailed instructions to follow. While there are many details necessary to make your applications as secure as possible, several general guidelines will address the most important security needs.

Although each application and each organization are different, they all share common strategies to establish good security controls and foil attackers. The following recommendations come from practical experience with many organizations and applications. They are the strategies that produce the best results. These best practices will help you establish a solid foundation for securing your applications:

• Harden the operating system first.

• Install only the services necessary.

• Use server roles when possible.

• Use SCT to ensure you are adhering to Microsoft baseline best practices.

• Remove or disable unneeded services.

• Remove or disable unused user accounts.

• Remove extra application components.

• Open only the minimum required ports at the firewall.

• Define unique user accounts.

• Use strong authentication.

• Use encrypted connections for all communication.

• Encrypt files, folders, or volumes that contain private data.

• Develop and maintain a BCP and DRP.

• Disable any unneeded server features.

• Ensure every computer has up-to-date anti-malware software and data.

• Never open any content or files from untrusted sources.

• Validate all input received at the server.

• Audit failed logon and access attempts.

• Conduct penetration tests to discover vulnerabilities.

These best practices apply to most server applications and ensure you are protecting your data at the server level.