Phew! Where to start… Depends on how “secure” you need it to be. i.e. Difference between a personal blog and a large project for a large company/government dept. etc…

In no particular order

• Secure your configuration files by encrypting them.
• Ensure that your Database is behind some sort of DMZ and not on a publically accessible IP
• Get a security company to give your site an overhaul for potential vulneribilities (Cross Site Scripting / Sql Injection)
• Use SSL
• Lock down everything port-wise on the server except for 80 HTTP & 443 HTTPS unless absolutely necessary
• Make sure your Remote Desktop/VNC connections to the box are secure
• If your storing passwords in the DB, hash & salt them and don’t store plain text
• Publish your code, and don’t leave source code on the server
• Build your code based on known standards, i.e. don’t write your own Crypto Algorithms
• If secure connections between the Site->DB or Site-MSMQs are available, use them

Microsoft have a good article on securing ASP.NET apps that i’ll dig out.

Edit

And as Syed just posted in his reply, (+1 a credit to him)

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication