I am technical lead on a large public assessable web solution based on the

Microsoft.Net framework and running on Windows 2003 Server SP1, IIS 6

and Microsoft Content Management Server 2002.

The customer has announced that they have ordered a third part security

to scan the solution for security vulnerabilities. The solution will be
scanned from the

internet and from a machine hosted on the network.

Although I believe that solution has been developed using Microsoft best

and is secure I would like to test the solution my self in order to be able
to correct

possible vulnerabilities before the test is run.

I am looking for advice of the most common scenarios a security consultant
is looking

for and recommendation to tools that can assist me in finding any
vulnerability that the

solution might have.

In this particularly case I am mostly interested in security vulnerabilities
found in the

..Net application itself since the security on the server and network is the

of the hosting provider.

I have no previous experience with having a solution scanned by a
professional security

company and would appreciate any advice you might have.

Kind regards