[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 576
  • Last Modified:

dot net frameword 1.1 removal from front end exchange.

Hi,
I have my exchange front end running on windows 2003 enterprise with SP 2 as OS with 2003 exchange enterprise with SP2.
During last PCI scan an vulnerability "remote code execution in current dot net 1.1 version" comes on it. I have installed concerned patch but gap is still there.
Finally i plan to remove dot net version 1.1 from my server, please let me know how can i uninstall it and before uninstallation which version i should install which can replace it.
FYI :   IIS 6.0 is running on this server.
0
pdixit1977
Asked:
pdixit1977
  • 2
  • 2
1 Solution
 
B HCommented:
1.1 is built into the server you can't make it go away

but, you can change your virtual sites to use dot net 2 or 3 or 4 depending on if your applications will support it.  

you would do that in iis, right-click the site, properties, IIS tab

make notes of what you change, so you can undo it if you need to.

for pci compliance, you might have to mitigate this another way - you can't secure yourself so much that you put yourself out of business - but you have to show that you did something for the pci compliance.  if you can use 2, 3, or 4, great.  if not, look into what your pci compliance authority would want you to do in order to keep 1.1 and still be "secure enough"

0
 
pdixit1977Author Commented:
PCI recommend me to install an particular patch to fix this gap, i did that but still it comes up. I asked them to consider this as "False Possitive" but they denied and asked me to fix it anyhow.
Thats why i was thinking to remove it and use other version....
0
 
B HCommented:
well try to switch to the other version in IIS as above... and then test your web applications and make sure they still work... if they do, great.  if not, you'll need to either find out what your pci compliance authority wants -after- patching like you did, or tell them it's a risk you'll have to take and provide the reasons why.   maybe you can compensate by turning up the logging level or something.

i mean, it's kind of like them asking you to use a certain type of combination lock to lock a door when all your employees are blind and you really need a key-lock or the whole door is pointless.
0
 
pdixit1977Author Commented:
Good answer, thanks
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now