how to block all requests from URLs with MSDOS device name using isapi filter cve 2007-2897

Question

I recently had an audit report on my windows server 2008 R2 and it failed with the error/vulnerability: Microsoft asp.net ms-dos device name DoS www (443/tcp).

I have not been able to find any solution to fix this vulnerability yet as noone of the solutions accross google suggest how to exactly use ISAPI filter to block all requests from URLs with msdos device name as there is no such particular string mentioned in the audit report. There ought to be a string to add to ISAPI filter to block all such requests to work around this vulnerability?

Any quick help would be appreciated!

Regards

Michael Hampton · Answer 1 · 2015-05-20T19:01:56.683

4

Tell the auditor you aren't running IIS 6. There is nothing else you really need to do. This vulnerability only affected IIS 6 running on Windows XP and Server 2003.

Of course, if they were competent they would have already known that...

edited May 20 '15 at 19:01

answered May 20 '15 at 16:57

Michael Hampton

237,123
42
477
940

1

Thank you Michael for your reply. I am going to do as you said but would like to ask if there is any Microsoft official document to support the same? – Musa Zargar May 24 '15 at 14:59
1

@MusaZargar https://support.microsoft.com/en-us/kb/224609 – Michael Hampton May 24 '15 at 15:02

how to block all requests from URLs with MSDOS device name using isapi filter cve 2007-2897

1 Answers1

Linked