> I guess there are two fronts really, security of the server to prevent any would be hackers, and security of the application, ie a hacker trying to break in through the application with a password cracker or whatever.

Here is a list of some of the most common threads to web apps:
* SQL Injection
* Cross-Site Scripting (XSS)
* Cookie theft
* Session tampering

There is plenty of information about these things on the net and it pretty easy to deal with most of these threads. The trick is to be aware of them and always (that's the hard part) write code that can resist these types of attacks.

Of course, you also need to protect the network and IIS.


>To secure .PDFs and .JPGs then, there's some settings I should change?

Map these files to AspNet_ISAPI.DLL in IIS.


>Are you referring to the "timeout" setting in web.config when you say limit authentcation cookies?
>
Some of these settings are set in the web.config file. Other depend on how you use forms authentication. A lot of the examples in books and magazines use persistent authentication cookies (via RedirectFromLoginPage method) rather than creating a shorter lived cookie. One of the things that was presented at DevDays is that persistent cookies have a lifetime of 50 years!!!! That's a very long time. You are much better of if you create the cookie yourself and set it to expire in whatever timeframe that is shorter than that!