Hi Roger, now one thing to add. I said also that I wish Microsft realease a future version of SQL Server where all the dnagerous bits are locked by DEFAULT. A bit like Windows Server 2008 where it's up to the user to choose what he wants to open.

Things like EXECUTE or SELECT on the Master table should be locked!

Remember I am the only person availabel in my organization, and I am surely n ot the only one working like that. so my job consists of DBA, Programmer, IT, Firewall guru, etc...

So it has been a a pretty tough ride recently with things that should not be there from the beginning.

Another thing I didn't know about is the 'httponly' attribut in we configuration files to lock the cookies in read only mode.

Web config files have a huge number of methods, parameters and attributes and it's very hard to know all of them. I am proud to say I learn every day, but the same than SQL if cookies can execute their code, they shouldn't be allowed to do that by DEFAULT.

Thanks

Paschal