Also be sure to handle the Application_Error event in the Global.asax
and not allow errors to be shown to the public users. And do not use
ad hoc SQL in your ASP.NET code. Instead use stored procedures or
parameterized SQL strings. That will help fight off SQL injection
attacks.
You can then have this website run in a separate application pool in
IIS under a custom user (not Network Service) and limit the rights of
that user. Generally you just need access to the database which will
not be a trusted connection anyway.
Brennan Stehling
http://brennan.offwhite.net/blog/
Michael D. Ober wrote:
> If your customer wants complete safety, tell him to use VMS. Other than
> that, ASP.NET 2.0 running on W2003 SP1 is pretty darn safe, so long as your
> code doesn't do anything stupid like not validate inputs and allow access to
> folders that it doesn't need.
>
> Mike Ober.
>
> "ad" <> wrote in message
> news:%...
> >I use VS2005 to develop web applicaiton.
> > The Web applicaiton will install in an windows xp.
> > Some cusotmer doubt the safety of Asp.net.
> >
> > Are there some reports about the safety of OS or database or development
> > tools?
> >
