How to address Vulnerabilities on a website hosted on a dedicated server

A 3rd party company has provided us with security vunrability analysis of our company websites and management wish me to report on how we will tackle these issues.

Alert group                                   Severity      Alert count
      
SSL 2.0                           deprecated  protocol      High      1      
ASP.NET                                  error message      Medium      1      
The POODLE attack           (SSLv3 supported)      Medium      1      
ASP.NET                             version disclosure      Low      1      
Clickjacking:         X-Frame-Options header missing      Low      1      
OPTIONS                            method is enabled      Low      1      
Error page           web server version disclosure      Informational      1      
Microsoft IIS                  version disclosure      Informational      1      

Please advise on how we can tackle each of these issues.

Thank you
LVL 1
souldjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

aboo_sCommented:
upgrade SSL to the latest version, via your SSL certificate provider.
Set display error on your asp server to no, don't display error messages and warnings ..
Upgrade your server ..upgrade operating system.
To be frank upgrading everthing should solve most of the issues.
I advise you upgrade then make this check again!
0
Dave HoweSoftware and Hardware EngineerCommented:
That looks like the output of a nessus scan - the nessus report should have included links to the remedial pages.

SSL2/SSL3 would be https://support.microsoft.com/en-us/kb/187498
IIS version disclosure - https://support.microsoft.com/en-us/kb/317741

if you give more data on the other vulns, I can give you the urls for those too :D
0
Dan McFaddenSystems EngineerCommented:
The Disclosure issues are in part due to a default included HTTP Header.  Open IIS Manager, go to the server object, go into the HTTP Response Headers feature and delete "XPowered-By"  Its not needed.

For more detail on containing info disclosure issues check out these links:

- http://blogs.msdn.com/b/david.wang/archive/2006/03/29/silly-security-scans.aspx (Blog Article and Opinion)
- http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx (how to article)

Articles about securing up your SSL implementation, uses PowerShell to set things up:

- https://www.nartac.com/Products/IISCrypto/
- https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
- https://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85

Then you can test your implementation thru the following website:

- https://www.ssllabs.com/ssltest/index.html

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.