Re: win2k3 and isa2k vulnerability scan

From: Bigbruva (
Date: 11/02/04

Date: Mon, 1 Nov 2004 18:29:07 -0800

There is a good guide produced by MS for securing IIS available from the
following URL:

There is also a checklist for the tasks in the guide available from:


"S. Pidgorny <MVP>" <> wrote in message
> I'd say that the predictable TCP sequence vulnerability is not much of a
> vulnerability: it allows, under certain condition, to insert man in the
> middle and take over TCP sesion - of course, full access to the
> communication line and not protection (IPsec/SSL) are the conditions. I
> don't remember any patch for this "vulnerability" and I wouldn't worry
> about
> it.
> How to configure URLscan to hide IIS version:
> This is security through obcurity,
> which is not security - most potential "hackers" will just unleash all
> their
> exploits against your site (just like you've done with your Nessus scan),
> regardless of the version, or will get information from other sources than
> banner grabbing.
> --
> Svyatoslav Pidgorny, MVP, MCSE
> -= F1 is the key =-
> "gotenks" <gotenks@dragonball.z> wrote in message
> news:0e4e01c4c053$57a77f70$a501280a@phx.gbl...
>> I ran a nessus (free open source vulnerability scanner)
>> scan on my 'public-ip/web server'. It was able to
>> identify the version of ISA and IIS that i was running.
>> It also reported a MS Predictable TCP sequence
>> vulnerability, i dont know if it was referring to
>> Win2k3/IIS 6.0 or ISA2K. The recommendation for the tcp
>> sequence vulnerability was to get a patch from the
>> vendor? It also recommended to use URLSCAN to hide the
>> identity of IIS 6.0? Does anyone know how i can get that
>> patch from MS for the tcp sequence vulnerability, and how
>> to configure urlscan to hide the IIS version im using?

Relevant Pages

  • RE: iis 6.0/win2k3 and isa vulnerability
    ... that predictable TCP sequence issue is an old one and should ... Hiding the fact that you are using IIS is a controversial and somewhat ... > patch from MS for the tcp sequence vulnerability, ...
  • Re: IIS6 on W2k3 DCs
    ... I don't think you will find somebody arguing that IIS6 must never be intalling on a domain controller. ... As a CA will sometimes be installed on a DC, you will necessarely installed a really hardened IIS 6 with limited support for ASP to make the Web Certificate enrollement page available. ... >guide for W2k3 but have instead pointed to Microsoft's ...
  • RE: IIS6 on W2k3 DCs
    ... You dont just have to worry about threats from the internet, but from workstations. ... Now - I agree with you about best practices not applying to everyone in every situation, but having said that, there are some "best practices" that if met minimize risk, and the path you take, wont minimize it in the same way. ... But Small Business Server 2003 runs with IIS on our domain controller. ... >guide for W2k3 but have instead pointed to Microsoft's ...
  • Re: IIS6 on W2k3 DCs
    ... The very reason that IIS should not be kept on a DC machine is provided by Microsoft itself: the Web Edition of their 2003 Server. ... >guide for W2k3 but have instead pointed to Microsoft's ... >Any help finding an explicit statement that IIS6 does ...
  • Re: Dienste
    ... Microsoft Windows Server 2003 Security Guide - Hardening IIS ... Daniel Melanchthon - MVP Exchange Server ...