The best use of the preceding techniques will not protect your application if you miss the important practice of patching. Patching is the practice of applying vendor-provided fixes to the software you use to run your web application. Whether it's your web server, your database software, your operating system, or any other software used in your application, running without security patches installed is an invitation to hackers everywhere.
Fortunately, Microsoft is working to make the patching process easier, with tools such as Windows Update, and a relatively new tool, the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.1, available at http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp, provides both GUI and command-line interfaces for scanning local and remote machines for patch status and common misconfigurations of the following products:
Windows NT 4.0
IIS 4.0 and 5.0
SQL Server 7.0 and 2000
Internet Explorer 5.01 and later
Office 2000 and 2002
Exchange 5.5 and 2000 (patch scanning only)
Windows Media Player 6.4 and later (patch scanning only)
In addition to tools like Windows Update and MBSA, you can also sign up for notifications of security bulletins at http://www.microsoft.com/technet/security/bulletin/notify.asp.
Regardless of how you find out about patches, it is imperative that you keep all software associated with your web application patched and up-to-date.