Solved

Site security wont pass.

Posted on 2011-02-10
9
548 Views
Last Modified: 2012-05-11
I have a site running windows 2003 server, to which port 80 is open. I'm getting this failing rating from security compliance. the following is the patches they want. I installed them and still get non compliance.

Description: vulnerable Microsoft.NET Framework version: 1.1.4322 site &ipaddress Windows Server 2003Feb 10 16:28:55 2011newSeverity: Area of Concern CVE: CVE-2007-0041 CVE-2007-0042 CVE-2007-0043 9.32352new11Impact: On a workstation, a remote attacker could execute arbitrary commands when a user opens a specially crafted web page. On a server, a remote attacker could gain unauthorized access to configuration files. Background: The .NET Framework is a programming model for building Windows applications. Resolution Install the patch referenced in Microsoft Security Bulletins [http://www.microsoft.com/technet/securi      ty/bulletin/ms10-041.mspx] 10-041 and [http://www.microsoft.com/technet/securi      ty/bulletin/ms10-060.mspx] 10-060. Vulnerability Details: Service: http Received: X-AspNet-Version: 1.1.4322  
0
Comment
Question by:JoeyTheGreat
9 Comments
 
LVL 2

Expert Comment

by:cdsathya
ID: 34869065
Try to connect widows update services, and install all patches givn by Microsoft
0
 
LVL 3

Expert Comment

by:rajkumartech
ID: 34869696
Try restarting Application pool on your IIS.
0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875621
I think you have to restart the whole computer after this update.
0
 

Author Comment

by:JoeyTheGreat
ID: 34880842
I did restart after installing the updates.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Expert Comment

by:l8rgdkd
ID: 35082020
I have the same problem... I have installed all windows updates and I can not get this message to go away in my security scans.
0
 

Accepted Solution

by:
JoeyTheGreat earned 0 total points
ID: 35082726
I ended up contacting the certification company, they wanted a screenshot of the required update installed "update installed successful dialogue" and they'll override it as a false positive.
0
 

Expert Comment

by:l8rgdkd
ID: 35082771
good advice, ill give it a try
0
 

Author Closing Comment

by:JoeyTheGreat
ID: 35126247
everydody had good ideas but none did anything to pass the failed state.
0
 
LVL 4

Expert Comment

by:PBOI
ID: 35158274
I was having this exact same issue, and I wanted to share some information that I found.  To get past the compliance issue for me, the resolution was tied to IIS.  In IIS, go to your default website, and likely any other websites you have listed, and change .NET being used from 1.1.4322 to 2.0.50727.

On my Citrix server, this was easy.  There was a ASP .NET tab on the website with a convenient dropdown for the version of .NET to implement.

On my OWA server, this was much more painful.  The tab was not there.  Instead you go to Home Directory (tab), Configuration (of the App Pool) and edit each .net aspnet_isapi.dll to point to your new framework path.  Example new path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll

However, the nightmare is just beginning.  As soon as you do this, owa is shot, and all of your phone email apps are going to bug out.  The solution:  http://www.msexchange.org/tutorials/Fixing-Damaged-Incorrectly-Configured-OWA-2003-Installation.html

Get Metabase Explorer from IIS 6.0 Resource Kit http://www.microsoft.com/downloads/en/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en

Backup the IIS Metabase by opening IIS Manager, right-click default website (and any others you have), select "save configuration to a file," and save.  Then delete the OWA Virtual Directories in your default web site: Exadmin, Exchange, Exchweb, Microsoft-server-activesync, oma, public.  Close IIS

Open Start, Programs, IIS Resources, Metabase Explorer, Metabase Explorer.
Expand Server (local)>LM
Right-click DS2MB key and delete

Open services.msc and restart Microsoft Exchange System Attendant Service.  This will recreate your deleted virtual directories.

"Almost that is, as there’s one more little thing to do. We need to reset the access permissions to Anonymous on the ExchWeb virtual directory. In order to do so start the IIS Manager then right-click the ExchWeb virtual directory and select Properties. Now select the Directory Security tab and click Edit under Authentication and access control. Make sure the Anonymous access and Integrated Windows Authentication check boxes are enabled then click OK and Apply. If an Inheritance Overrides dialog box pops up make sure you click Select All then OK. Under Authentication and access control, click Edit then clear the Integrated Windows authentication check box again. Click OK twice and you’re done."


0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now