Howdy, A good place to start is http://www.microsoft.com/security/ and "Microsoft Baseline Security Analyzer", which I have not personally used but supposedly scans Windows (NT4 SP4+, 2000), IIS (4, 5), and SQL (7, 2000) servers plus IE for known security issues. See KB article Q320454 for more info. You also might want to check into http://www.NTBugtraq.com/ But before you start with any of that--Disable all default and built in accounts on all servers and devices exposed to the internet! No 'admin' accounts, no active 'guest' accounts. All these built in accounts are well known starting points for attacks. If you need access to a resource, create an account and give it only the minimum required permissions. While you're doing that, make sure the default state for your firewall is to block all traffic, and it's only passing through the ports and protocols you've specified. And don't overlook physical security. All the firewalls and passwords in the world don't do much good when your server is sitting under a desk in a cubicle where anyone can walk up and insert a floppy, or worse, walk off with the server! HTH =) Sean G. -----Original Message----- hi. (i'm using win2k advanced server.) i'd like to know where i can find some tools, or suggestions on how to best test my websites security. besides patches and service packs, and let's say, a firewall allowing only SMTP, HTTP, HTTPS traffic through... any other suggestions? also... where is a good resource that explains in laymans terms what the difference between TCP, UDP, and ICMP packets are? as well ACK, SYN, etc. thanks! chris.