Fixing vulnerability ntlm in iis

How do you fix this vulnerability: Microsoft IIS supports Basic and NTLM authentication. It has been reported that the authentication methods supported by a given IIS server can be revealed to an attacker through the inspection of returned error messages, even when anonymous access is also granted.

When a valid authentication request is submitted (for either method) with an invalid username and password, an error message is returned. This happens even if anonymous access to the requested resource is allowed.

Do I need to turn off Outlook anywhere then disable the authentication for those items in IIS ( RPC , power shell proxy, EWS, Auto discover, aspnet_client) I'm sure something will break.

I would think if Outlook anywhere was vulnerable, OWA would be too?
jtanoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

systechadminConsultantCommented:
No there is not vulnerability. Every organization is using the Authentication method recommended by MS.  You can implement Proxy server behind firewall to increase the security like  UAG
0
Amit KumarCommented:
By default Exchange configured authentication methods are good to secure your environment. Outlook anywhere works with Basic and NTLM. but when credentials are passed to client then Exchange and Office products are intelligent enough to secure them. so Don't change any authentication method it can mess you Exchange infra.

Microsoft always follow security measures as required. You can do one thing if you have any doubt of IIS is using week SSL ciphers then you can restrict ciphers on OS level using this application. Discuss it with your security team and check.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jtanoAuthor Commented:
Gaurav - Proxy server behind a firewall sounds like a lot of work. UAG is going away right?

Amit - I will look into this application. Unfortunately, we don't really have a security team. Kind of a small shop that gets vulnerability scans and this one keeps coming up so my boss wants it to go away.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Amit KumarCommented:
Even my infra we had external Vulnerability assessment but we did not get any issue with authentication method in reports, recently we had issue with SSL weak ciphers those have resolved after using IISCrypto. Default Exchange configured authentication method will not get you in problem in case you have already customized it so I can't be so sure for that.

Firewall or UAG are there to protect your env. from DoS attacks, IPS attacks, virus attacks and more attacks depend how they protect so they are also required. Now depends on situation as sometime people don't have much big infra and much investment so they don't go for them. Still choice is yours security matters when we work with public network.
0
systechadminConsultantCommented:
Amit is correct. yes UAG support is going away.
0
jtanoAuthor Commented:
okay, I will use this application to try to fix my authentication stuff and tell my Boss they are really not vulnerabilities.
 Thanks so much for your time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.