Hi,



I am technical lead on a large public assessable web solution based on the

Microsoft.Net framework and running on Windows 2003 Server SP1, IIS 6

and Microsoft Content Management Server 2002.



The customer has announced that they have ordered a third part security
consultancy

to scan the solution for security vulnerabilities. The solution will be
scanned from the

internet and from a machine hosted on the network.



Although I believe that solution has been developed using Microsoft best
practices

and is secure I would like to test the solution my self in order to be able
to correct

possible vulnerabilities before the test is run.



I am looking for advice of the most common scenarios a security consultant
is looking

for and recommendation to tools that can assist me in finding any
vulnerability that the

solution might have.



In this particularly case I am mostly interested in security vulnerabilities
found in the

..Net application itself since the security on the server and network is the
responsibility

of the hosting provider.



I have no previous experience with having a solution scanned by a
professional security

company and would appreciate any advice you might have.



Kind regards



Tony