The chap at the danish site is absolutely correct. If fact I have an IIS5/Win2k box at home that is impenetrable...... Course I wouldn't dare connect it to the internet unless I switched it off first..... (and no..... The NIC does not support "wake-up over LAN")

Honestly though.... Keeping up with the patches and all that is all fine and dandy but all you are doing is _reacting_. Reacting to something that is already known and patched. If someone hits your box with a "zero day" none of the patches in the world will help.... Your hacked.....

The question then is what have you done to mitigate the damage on the back end. How quickly can s/he escalate privilege? Can they move files undetected onto the system? How quickly can they hop to another box inside your system and set up shop there? Can they clean up after them and erase only those log entries that pertain to them? Can they even find your log files, (think stealth logging)? Can they be sure that they are not being sniffed while they work and could they defeat the sniffer and erase the entries there?

Security is, unfortunately, not one dimensional - in fact it has a few more than the standard three we are all used to which, correspondingly, makes it that little more difficult to grasp and execute effectively.