it's a matter of how much time and money you want to spend. if you want to stay on the cheap side, consider kerberos, LDAP, SSL, default config files, etc. if you want top notch security you can setup one time passwords that are retrieved at web system start (activated by a keycard or retina scan) behind a DMZ. Seriously though, a database & web server running with least privileges (non-privileged users) and default database config files (.mycnf for mysql) will provide you with "good enough" security. If it's for a commercial venture, definitely stick the db box behind a DMZ and backup your database often. Chris