Hi...

I ran the MBSA 2.3 tool on a Server 2012 R2 Standard installation that has SQL Server 2014 x64 Standard installed. The MBSA 2.3 tool is reporting that the IIS Common files are not installed and it suggests a path to do the installation of the tools, via the Add Program Features, etc...

The concern I have is that in my installation of Server 2013 R2 Standard and SQL Server 2014 x64 Standard I took default installation options and the Microsoft Server and/or SQL Server installation programs appear to have chosen NOT to install the IIS Common files. Now the MBSA 2.3 is telling me they need to be there.

Is there a risk associated with me installing the IIS common files on Server 2012/SQL Server 2014 so that I can eliminate this line item from the MBSA report?

Thanks,

Brett

Posting this message for anyone that may find it useful. The 'How To Fix This Error' text in the MBSA 2.3 for this item is useless and primarily inaccurate. I was able to get this error to stop appearing by adding the feature for IIS 6 Management Compatibility. Unfortunately that was the last of tie IIS role/features that I actually enabled. I had enabled almost all IIS role features, particularly the ones that sounded like 'Common' features, re-running the MBSA 2.3 tool, each time to see which item might cause the IIS Common Files line item to be removed. The 'How To Fix This Error' text looks like it hasn't been updated since the days of Windows XP or something. Trying to follow those steps is a waste of time. Bottom line, for me, enabling the IIS 6 Management Compatibility did the trick. It's one of the last features. I do not know if I could have gone back and disabled some of the other features. The line items disappeared so I figure I'll leave well enough alone for now.

I'm also seeing an error about CmdExec Role 'Error reading registry'. I can see from numerous other threads that this sounds like a bug that won't be fixed. All in all, it seems like Microsoft is not really behind their MBSA tool.

I bumped into the "IIS 6 Management Compatibility" issue today as well. After running some tests, I noticed that I need to install this components on both MBSA server - Windows 2008 R2 as well as on the target machine being scanned - Windows 2012.

Having this issue flagged as "Incomplete Scan" is inaccurate and perhaps should be adjusted as this requires the action mentioned above. I would at least expect the scan to indicate a SKIP notification or any similar message instead of marking the scan as incomplete. Besides, if there's a server that doesn't or shouldn't have IIS running, why would I have to install this component across all of my servers just to get a "Success" scan.

Not to mention an outdated FAQ - https://technet.microsoft.com/en-us/security/cc184922.aspx