Frontpage Security Vulnerability

[Sal]

Archived from groups: microsoft.public.win2000.security (More info?)

http://www.microsoft.com/technet/security/bulletin/ms99-
010.mspx

We are currently running IIS 5.0 on a Win2k Server. The
above link shows a Frontpage vulnerability which our
vulnerability detection agent says exists on our system.

I have found patches for 95/98 and NT 4.0, but I have not
found a patch for Win2k. Is there a patch or update for
Win2k Server to correct this issue?

Thanks.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

What you might try is to run the Microsoft Baseline Security Analyzer of you
computer and select to scan for IIS vulnerabilities. It will then show a
report of vulnerabilities and how to fix.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

If you have not done so you should run the IIS Lockdown tool on that server
which also contains USLscan. MBSA will probable alert you to do that same if
it has not been done. Be sure to backup your IIS configuration via IIS
Management Console and backup the server including System State before
running IISLockdown, though it is supposed to reverse settings if you run it
again if you have a problem. Just be sure to choose carefully when it asks
you to make a selection that is closest to your IIS configuration. ---
Steve

http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en


"Sal" <anonymous@discussions.microsoft.com> wrote in message
news:1e0a01c4b519$bb41d480$a601280a@phx.gbl...
> http://www.microsoft.com/technet/security/bulletin/ms99-
> 010.mspx
>
> We are currently running IIS 5.0 on a Win2k Server. The
> above link shows a Frontpage vulnerability which our
> vulnerability detection agent says exists on our system.
>
> I have found patches for 95/98 and NT 4.0, but I have not
> found a patch for Win2k. Is there a patch or update for
> Win2k Server to correct this issue?
>
> Thanks.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Remember, Windows 2000 (and later) did not exist when
this patch was released. I would question the quality of
the vulnerability scan you are basing this upon.
As the bulletin states, this is only a patch for the indicated
versions of the no longer available Personal Web Server,
something that was not made available in FrontPage versions
after FrontPage 98.

If the only machine you are concerned about is Windows 2000
with IIS 5 then you do not have FrontPage Personal Web Server,
and your FrontPage Server Extensions to IIS are at least at the
FrontPage 2000 version. Your scanning should be showing that
you have applied or have need for some updates to the FrontPage
Server Extensions 2000 or 2002 (whichever is installed).
Visit Office Update to detect the service needed for these.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Sal" <anonymous@discussions.microsoft.com> wrote in message
news:1e0a01c4b519$bb41d480$a601280a@phx.gbl...
> http://www.microsoft.com/technet/security/bulletin/ms99-
> 010.mspx
>
> We are currently running IIS 5.0 on a Win2k Server. The
> above link shows a Frontpage vulnerability which our
> vulnerability detection agent says exists on our system.
>
> I have found patches for 95/98 and NT 4.0, but I have not
> found a patch for Win2k. Is there a patch or update for
> Win2k Server to correct this issue?
>
> Thanks.