1. Generate new encryption keys
When moving an application to production for the first time it is a good idea to generate new encryption keys. This includes the machine validation key and decryption key as well as any other custom keys your application may be using. There is an article on CodeProject that talks about generating machineKeys specifically that should be helpful with this.2. Encrypt sensitive sections of your web.config
This includes both the connection string and machine key sections. See Scott Guthrie's post for some good references. Note that if your application runs in a clustered environment you will need to share a custom key using the RSA provider as described in an MSDN article.3. Use trusted SQL connections
Both Barry Dorrans and Alex Chang have articles which discuss this in detail.4. Set retail="true" in your machine.config
- <configuration>
<system.web>
<deploymentretail="true"/>
system.web>
configuration>
This will kill three birds with one stone. It will force the 'debug' flag in the web.config to be false, it will disable page output tracing, and it will force the custom error page to be shown to remote users rather than the actual exception or error message. For more information you can read Scott Guthrie's post or the MSDN reference.
5. Create a new application pool for your site
When setting up your new site for the first time do not share an existing application pool. Create a new application pool which will be used by only by the new web application.6. Set the memory limit for your application pool
When creating the application pool, specifically set the memory limit rather than the time limit which is set by default. Asp.net has a good whitepaper which explains the value of this:By default IIS 6.0 does not set a limit on the amount of memory that IIS is allowed to use. ASP.NET’s Cache feature relies on a limitation of memory so the Cache can proactively remove unused items from memory.
It is recommended that you configure the memory recycling feature of IIS 6.0.
