Don’t do anything, turn stuff on, add features unless you absolutely need them. Anything you do adds additional risk; the most secure system is one that doesn’t do anything at all.
Grant users only the minimum required access they need in order to perform the business function.
Two security gates are better than one.
In the failure scenario don’t open the system to attack.
Setting max length on ASP.NET and HTML input controls
Using ASP.NET validation controls (RequiredFieldValidation, CompareValidator, RangeValidator, RegularExpressionValidator, CustomValidator) to constrain user input via ASP.NET input controls as much as possible.
Constraining user input to a white list (list of acceptable characters).
Constraining user input to a black list (list of all un acceptable characters).
When another user's credentials are stolen and used to connect to a sql database.
When a hacker gets access to the database and modifies data in the database.
When user input is used to alter a SQL statement to perform an unintended action.
When a hacker gets access to the database and modifies stored procedures in the database.
Unauthorized access of data to select, update, delete
Deletion or modification of database objects
Deletion of all files on the database server.
Use paramaterized queries.
Constrain user input to known valid data.
Connect to the database with a low privileged account.
Connect to the database with a high privileged account.
Defense in depth.
Keep it simple to Minimize the Attack Surface Area.
Reluctance to trust.