I'm running Server 2008 R2 SP1 with IIS 7.5. Our users remote in to the system using both Web Access and RemoteApps and as part of a security review we had a full penetration test run against our external servers. For the most part we did okay, had to disable SSLv2 but that was expected. But we did get picked up on XSS. I'm very new to IIS and only know absolute basic's, what is the simplist way to prevent XSS? One site that I've come across seems to suggest that it could be done through Request Filtering but I don't know where to begin. Thanks, AStaley.

For IIS questions, I recommand to you to post in "The Official Microsoft IIS Site". This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Hi, As this issue is related to IIS, I suggest discussing it in our IIS forum. They are the best resource to troubleshoot this issue. http://forums.iis.net/ BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.