how to block all requests from URLs with MSDOS device name using isapi filter cve 2007-2897

Musa Zargar asked:

I recently had an audit report on my windows server 2008 R2 and it failed with the error/vulnerability:
Microsoft asp.net ms-dos device name DoS www (443/tcp).

I have not been able to find any solution to fix this vulnerability yet as noone of the solutions accross google suggest how to exactly use ISAPI filter to block all requests from URLs with msdos device name as there is no such particular string mentioned in the audit report.
There ought to be a string to add to ISAPI filter to block all such requests to work around this vulnerability?

Any quick help would be appreciated!

Regards

My answer:


Tell the auditor you aren’t running IIS 6. There is nothing else you really need to do. This vulnerability only affected IIS 6 running on Windows XP and Server 2003.

Of course, if they were competent they would have already known that…


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.