1

We're trying to pass PCI compliance on a few of our websites. After an outside scan, we still have this vulnerability:

Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs.

How do we remedy this in IIS?

Thanks

Warner
  • 23,756
  • 2
  • 59
  • 69
I.T. Support
  • 601
  • 2
  • 11
  • 27
  • The scan provider should be able to give you more information, and most scan providers also have people who can tell you how to fix this vulnerabilities. – wolfgangsz Sep 16 '10 at 16:42
  • 1
    You've probably got the default error pages and other default junk, which means IIS is announcing that it's IIS on the server. If an attacker knows what version of what webserver you're running, he can target your site with only relevant attacks. – mfinni Sep 16 '10 at 16:51
  • I've gone into authentication in IIS and removed windows auth per a suggestion on another website. – I.T. Support Sep 16 '10 at 17:15
  • I am running into the same issue. Did removing the window authentication work for you? – Chris Mullins Sep 17 '10 at 18:05
  • Yes that fixed it. See my posted answer for details – I.T. Support Sep 20 '10 at 22:53

1 Answers1

0

We needed to UNCHECK "Integrated Windows Authentication" in the site's IIS properties:

  • right click the website in IIS, click "properties"
  • click "Directory Security" TAB
  • under "Authentication and access control", click "Edit"
  • under "Authenticated access", UNCHECK "integrated windows authentication"

I rescanned after making this change and we passed compliance.

I.T. Support
  • 601
  • 2
  • 11
  • 27