Adding ASP.NET to IIS5 security concerns

[Dimitrie]

I would like to install the DOTNET 1.1 FRMWRK on a production machine (IIS5
Win2k). It runs ASP and it's locked down with the IIS 2.1 LockDown Tool and
a bunch of few other tweaks. The intent is to start porting old ASP scripts
to ASPX. No web services intended.

By simply installing the framework and not running any ASPX scripts is the
machine still secure? Do I have to take any further steps to lock down the
server?


Can anyone point me to a Securing IIS5 and .NET guide or whitepapers?
Or if you can briefly advise me on the steps it would be great.


Thanks,
Dimitrie

 

[Dimitrie]

Johan,

Thanks for your help.

The question I can't get an anser is:
By it's default instalation, is the DOTNET Framework secure for serving
anonymous pages? It seems that a lot of people here are running ASP.NET but
I'm not sure how they've locked their server.

I assume that the official answer is yes but I would like to get help from
real life.

I'm thinking about some sort of RD access enabled by default. Or a web based
admin page that gets installed somewhere in my root. Or a similar problem
like the "view source" sample page installed by IIS4 in default mode. Do I
have to reaply the IIS lockdown tool after I install the framework?

I need some sort of 1,2,3 steps or if someone can share his experience in a
similar situation. I do not want to install the SDK just the Framework.

Thanks,
Dimitrie