Enumeration of .NET handlers (ASP.NET vulnerabilities)

Question

Based on security audit, I am addressing audit findings and eventually I am stack with one item:
124242 : Microsoft .NET Handlers Enumeration
Risk 1 : Web Services
It is possible to obtain the list of handlers the remote ASP.NET web server supports.
Solution:
None
References:
http://support.microsoft.com/kb/815145
Credit:
Tenable : 2009-12-04

I am running ASP.NET 2.0 application on Windows 2008 R2 server and I don't have ISA Server installed.

I feel that I need to configure some rules in Windows Firewall or URLScan, but I don't understand which one exactly.

score 1 · Accepted Answer · answered Aug 10 '12 at 11:43

1

Using this page http://www.iis.net/ConfigReference/system.webServer/handlers we found that access policy can be changed.

So pick one you like and apply using command string:

%systemroot%\system32\inetsrv\Appcmd set config "instancename/files" /section:handlers /accessPolicy:NoRemoteRead /commit:apphost

Place your instance name instead of "instancename".

Hope this helps.

Good luck.

answered Aug 10 '12 at 11:43

Nick

26
1

It will eventually prevent handler from reading files during processing remote requests. And we need prevent .NET handlers enumerations by potential attacker. – Max Markov Aug 11 '12 at 07:29

Enumeration of .NET handlers (ASP.NET vulnerabilities)

1 Answers1