Fixing vulnerability ntlm in iis
How do you fix this vulnerability: Microsoft IIS supports Basic and NTLM authentication. It has been reported that the authentication methods supported by a given IIS server can be revealed to an attacker through the inspection of returned error messages, even when anonymous access is also granted.
When a valid authentication request is submitted (for either method) with an invalid username and password, an error message is returned. This happens even if anonymous access to the requested resource is allowed.
Do I need to turn off Outlook anywhere then disable the authentication for those items in IIS ( RPC , power shell proxy, EWS, Auto discover, aspnet_client) I'm sure something will break.
I would think if Outlook anywhere was vulnerable, OWA would be too?
When a valid authentication request is submitted (for either method) with an invalid username and password, an error message is returned. This happens even if anonymous access to the requested resource is allowed.
Do I need to turn off Outlook anywhere then disable the authentication for those items in IIS ( RPC , power shell proxy, EWS, Auto discover, aspnet_client) I'm sure something will break.
I would think if Outlook anywhere was vulnerable, OWA would be too?
Systech Admin
No there is not vulnerability. Every organization is using the Authentication method recommended by MS. You can implement Proxy server behind firewall to increase the security like UAG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gaurav - Proxy server behind a firewall sounds like a lot of work. UAG is going away right?
Amit - I will look into this application. Unfortunately, we don't really have a security team. Kind of a small shop that gets vulnerability scans and this one keeps coming up so my boss wants it to go away.
Amit - I will look into this application. Unfortunately, we don't really have a security team. Kind of a small shop that gets vulnerability scans and this one keeps coming up so my boss wants it to go away.
Even my infra we had external Vulnerability assessment but we did not get any issue with authentication method in reports, recently we had issue with SSL weak ciphers those have resolved after using IISCrypto. Default Exchange configured authentication method will not get you in problem in case you have already customized it so I can't be so sure for that.
Firewall or UAG are there to protect your env. from DoS attacks, IPS attacks, virus attacks and more attacks depend how they protect so they are also required. Now depends on situation as sometime people don't have much big infra and much investment so they don't go for them. Still choice is yours security matters when we work with public network.
Firewall or UAG are there to protect your env. from DoS attacks, IPS attacks, virus attacks and more attacks depend how they protect so they are also required. Now depends on situation as sometime people don't have much big infra and much investment so they don't go for them. Still choice is yours security matters when we work with public network.
Amit is correct. yes UAG support is going away.
ASKER
okay, I will use this application to try to fix my authentication stuff and tell my Boss they are really not vulnerabilities.
Thanks so much for your time.
Thanks so much for your time.