Hi, We are migrating from Exchange 2003 to 2010, but in the meantime we have regular outsourced audits on our OWA2003 servers for compliance with a group of audit requirements. The reports are indicating that the OWA 2003 front end servers have a flaw that is related to the version of .NET that we are running which is .NET 1.1. The report indicates that we have fix the problem either by upgrading .NET which we can't because any release over 1.1 is not supported by Exchange 2003 SP2. Has anoyone tried to run Exchange 2003 SP2 with .NET 2.0 and above? If so, how do proceed to install/upgrade .NET on the Exchange servers? In other words installing .NET will not remove the old version and as I far as I know the new .NET has to be register with the application that uses it. Could someone please let me know the steps that I need to follow in order to get this done in Exchange 2003 SP2?

.net Framework 1.1 and 2.0 are not really upgrades. 2.0 is not backwards compatible to 1.1. 3.5 is backwards compatible to 2.0. They can be considered two completely separate applications. Therefore installing netframework 2.0 or higher on to Exchange 2003 is not going to make any difference to the audit, because Exchange will not use it. It wouldn't surprise me if 2.0 or a higher version was already installed. I cannot comment on the audit as you haven't stated any of the details of it. However I am not really a fan of these automated audits because they fail to take in to account the real world risk. Simon. Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi, Acording to their report which I have attached below. The flaw affects .NET 1.0 and 1.1 you have to upgrade to other release which you can go to .NET 2.0, etc. or you implement a workaround that will be the use only Unicode codepage for output on ASP.Net pages which I have no idea what that means, how to implement/revert in case or failure or if this is going to even work. What are my options? ---------------------------------------------------------------------------------------------------------------- THREAT: ASP.NET is a Web application framework developed by Microsoft. ASP.NET Web sites are vulnerable to cross-site scripting attacks. The problem arises from the lack of a filtration of special HTML characters in range U+ff00-U+ff60 (fullwidth ASCII characters). An attacker could exploit this vulnerability when Unicode strings are converted to national ASCII codepages. Affected Versions: ASP .NET Framework 1.0 and 1.1 are affected IMPACT: Exploitation could allow an attacker to execute arbitrary script code. SOLUTION: There are no vendor supplied patches available. However, .NET Framework should be updated to the latest available version. Refer to ASP .NET XSS for further information. Workaround: Use only Unicode codepage for output on ASP.Net pages < CONFIGURATION> < SYSTEM.WEB> < GLOBALIZATION RESPONSEENCODING="utf-8"></GLOBALIZATION> < /SYSTEM.WEB> < /CONFIGURATION> RESULT: < html> < head> < title>The resource cannot be found.</title> < style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Lucida Console";font-size: .9em} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline;font-weight:bold; color:navy; cursor:hand; } < /style> < /head> < body bgcolor="white"> < span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1> The resource cannot be found. </span> < font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif "> Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested Url: /FileN0tEx15T.aspx < /body> < /html>

My owa 2003 servers are using .NET 1.1 Device Update 4.0. I have just verified with the auditors and this is what is coming back as the flaw. Is there any way to upgrade to something else than .NET 1.1?