This isn't an easy answer and this really depends on the environment that you have setup. As a starting baseline you have to ensure the following components are patched up to date at all times, and have been locked down. Check with your vendor to see what security hardening tools are available.
* Web Server (Usually Apache or IIS)
* Web Application Server (Such as Websphere, Weblogic, Tomcat)
* Database Server (Usually Oracle, Microsoft SQL Server, or MySQL)
* Proxy Server (Such as Squid, or Apache)
* Web Applications written in languages such as ASP, ASP.NET/.NET, Perl, PHP, Python, JSP, and Java. This includes SOAP and Web Services