How do you fix this vulnerability: Microsoft IIS supports Basic and NTLM authentication. It has been reported that the authentication methods supported by a given IIS server can be revealed to an attacker through the inspection of returned error messages, even when anonymous access is also granted.
When a valid authentication request is submitted (for either method) with an invalid username and password, an error message is returned. This happens even if anonymous access to the requested resource is allowed.
Do I need to turn off Outlook anywhere then disable the authentication for those items in IIS ( RPC , power shell proxy, EWS, Auto discover, aspnet_client) I'm sure something will break.
I would think if Outlook anywhere was vulnerable, OWA would be too?