0

I manage a Windows Server 2008 R2 box which has a .NET Framework related security issue that showed up in a recent security scan. Below are the security scan results: 

The following Microsoft .NET Framework version(s) do not have the latest service pack installed:

  Installed version: Microsoft .NET Framework v3.5 SP 0
  Should be: Microsoft .NET Framework v3.5 SP 1

I used the Web Platform Installer (WPI) to expedite the installation of PHP, .NET, IIS, etc... Back when the server was first provisioned. As a result, the WPI is used to install updates. When viewing the .NET 3.5 Framework status in WPI, it also indicates SP1 is installed. The box has .NET 4.6, .NET 3.5.1, and .NET 2 installed.

Since the WPI indicates that .NET 3.5 SP 1 is already installed, I am at a loss of how to rectify it. The Add Features shows 3.5.1 installed but no option for adding SP1.

The Windows Control Panel Add/Remove Programs only lists .NET 4.6. Should I just use the Server Manager - remove features to uninstall .NET 3.5.1 and then reinstall it?

Elliot Huffman
  • 1,169
  • 1
  • 10
  • 22
12AX7
  • 113
  • 1
  • 4
  • Uninstall all versions of `.Net` and install `4.7`(latest). That should fix the issue. `.Net` versions are all backward compatible. You could also manually install the `sp1` update on the server if you wanna keep all of the `.Net` versions installed. – Elliot Huffman Jul 27 '17 at 22:42
  • Thank you for your response. Is there any advantage to uninstalling all versions and then installing v4.7 vs trying to resolve the 3.5 SP 1 issue? Since .NET versions are all backward compatible, there should be no concern for applications with dependencies on older versions of .NET, right? – 12AX7 Jul 28 '17 at 15:15
  • `Pros: Less disk space usage, less of a security target and less applications to patch/manage`. `Cons: Can't think of any`. Always test your application before making any framework change. What might look good on paper might not work in the real world. The `WPI` application is only an installer. Use Microsoft Update to install updates to the installed applications. – Elliot Huffman Jul 28 '17 at 20:31
  • Would you like me to write my comment as an answer so that we can close this question? – Elliot Huffman Jul 28 '17 at 22:16
  • Yes, I would greatly appreciate that! – 12AX7 Jul 31 '17 at 14:26

1 Answers1

1

Recommended Answer:

Uninstall all versions of .Net and install 4.7(latest as of writing). That should fix the issue.

.Net versions are all backward compatible.

Alternate answer:

You could also manually install the SP1 update on the server if you wanna keep all of the .Net versions installed.

Pros and Cons:

(For main answer)

  • Pros: Less disk space usage, less of a security target and less applications to patch/manage.

  • Cons: Can't think of any.

Final thoughts:

Always test your application before making any framework change. What might look good on paper might not work in the real world.

  • The WPI application is only an installer.

  • Use Microsoft Update to install updates to the installed applications.

Community
  • 1
Elliot Huffman
  • 1,169
  • 1
  • 10
  • 22