To lock down your sites, there's a couple of tips I can guide you with...

1) Use Dll's for your data code & call these from your asp pages - never talk to a file or databasse from your asp page itself.

2) A lot of attacks on websites come from querystrings, if you are paranoid, you can validate what's after that question mark when your asp page is called on.

3) The second big one is SQL statements - if you've got a form with a textbox which when submitted is logged to a database, hackers often use SQL statments in the textboxes which excecute as soon as they are passed to the server.

4) Get all the updates from Ms for your system - any security patches which come out are always worth downloading.

5) If you use IIS, you might want to look at the user accounts you site uses, what paths these have access to & what rights to the file this web user has. Right click your website in IIS & look at all the tabs under the properties option.