Enumeration of .NET handlers (ASP.NET vulnerabilities)

StackOverflow https://stackoverflow.com/questions/11879084

Pregunta

Based on security audit, I am addressing audit findings and eventually I am stack with one item:
124242 : Microsoft .NET Handlers Enumeration
Risk 1 : Web Services
It is possible to obtain the list of handlers the remote ASP.NET web server supports.
Solution:
None
References:
http://support.microsoft.com/kb/815145
Credit:
Tenable : 2009-12-04

I am running ASP.NET 2.0 application on Windows 2008 R2 server and I don't have ISA Server installed.

I feel that I need to configure some rules in Windows Firewall or URLScan, but I don't understand which one exactly.

¿Fue útil?

Solución

Using this page http://www.iis.net/ConfigReference/system.webServer/handlers we found that access policy can be changed.

So pick one you like and apply using command string:

%systemroot%\system32\inetsrv\Appcmd set config "instancename/files" /section:handlers /accessPolicy:NoRemoteRead /commit:apphost

Place your instance name instead of "instancename".

Hope this helps.

Good luck.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top