I have a IIS 7 web server that connects to a database. The server is accessible to the public. I am afraid that the database might be compromised. In this respect What security aspects do I need to pay attention to ? What do I need to harden this web server ?
I understand that I may need to encrrypt the connection string in the the web config file.

What are the best practices in this case ?

I have specific clients who need to connect to this server. So do I need to implement Certificates for secure connections ?

There's simple and then there are "I must protect this to the maximum including man in the middle and more" discussions.

Are you sharing via a network share or just a web portal?
Are you concerned about man in the middle attacks to only allow HTTPS?
Is your programmer aware about your security concerns and codes accordingly to not allow a database dump to any user?
Did you at least install a hardware firewall and poke only the holes needed for the system to do what you want?

Added with edit: PS. What I wrote is just the tip of the iceburg in answer to your posting. That is, you have to figure out how many circles of hell you will descend to as there are concerns all across the board from data theft to fraud and abuse. You have to think about how far you want to go here.

-> If this web interface deals with money, that immediately takes us to the fourth circle.