I am assuming you keep the server patched with the latest patches released by Microsoft for the OS Version. Along with the other software installed on the software. And that you have a firewall in place to only allow access to the ports needed to run the webserver.

The next most common thing to protect a site is to prevent Injection attacks.

Some Links and pointers to see if your site is currently vulnerable to SQL Injection and related style attacks. And other links to help you fix the problems that you may find.

Microsoft Security Advisory (954462) [microsoft.com]

Hi, could this code protect against SQL injection? I found it after trying to find a way to combat same.

Put it in the head of the login.asp page.

<%
'Declare MyUsername and MyPassword variables
Dim MyUsername, MyPassword
'get the username and password fields from your form
MyUsername=Request.Form("username")
MyPassword=Request.Form("password")

'Call the function IllegalChars to check for illegal characters
If IllegalChars(MyUsername)=True OR IllegalChars(MyPassword)=True Then
Response.redirect("no_access.asp")
End If

'Function IllegalChars to guard against SQL injection
Function IllegalChars(sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
IllegalChars=False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "¦", "declare", "convert")
'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
IllegalChars=True
End If
Next
End function
%>

I'd also love to know if there is any way that someone can get around this piece of code?

I suppose it would work, but it would be very annoying if I decided to have one of those characters in my password.

The best way to protect yourself from SQL injection is to use Stored Procedures or Parametrised Queries instead of inline SQL. And also follow the instructions in the link that Ocean10000 provided.

I'm pretty sure that InStr by default does a case sensitive comparison
[w3schools.com...]

So it would not catch, "sElect", "drOp", "inseRt", "dElete", "xP_"

If that were the case then instead use
If Instr(sInput,sBadChars(iCounter),1)>0 Then

I've yet to see a virus attack classic ASP itself, and yet to come across any vulnerability with classic ASP.

The only vulnerability I've seen is with things like SQL, and people deliberately leaving back doors open.

--
instr(num_start,str_to_be_search,str_searching_with,type_of_search)
type_of_search = 1 for a text, caseless search.