Hello, As part of our internal security requirements all new servers are being scanned by a Nessus engine before being released to production. My two new Lync FE servers have been tagged with having a high-level vulnerability. See below. It calls out the Windows Identity Foundation service as having an 'unquoted service path' in the registry. Before I comply with trying to 'fix' this 'vulnerability', I was wondering if anyone else runs similar internal security...and if so, have you successfully 'fixed' something like this. I'm a little reluctant to go mucking about in the registry to modify this 'service path' to include quotes. Thanks in advance for any advice/replies. vulnerability data below: 445/tcp 63155 - Microsoft Windows Unquoted Service Path Enumeration [-/+] Synopsis The remote Windows host has at least one service installed that uses an unquoted service path. Description The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service. See Also http://isc.sans.edu/diary.html?storyid=14464 http://cwe.mitre.org/data/definitions/428.html http://www.commonexploits.com/?p=658 Solution Ensure that any services that contain a space in the path enclose the path in quotes. Risk Factor High CVSS Base Score 7.2 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSS Temporal Score 6.5 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C) Exploitable with Metasploit (true) Plugin Information: Publication date: 2012/12/05, Modification date: 2012/12/17 Ports tcp/445 Nessus found the following service with an untrusted path: c2wts : C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe

Hi, Thanks for posting in Microsoft TechNet forums. This can be a false alarm from the Nessus product. We can reinstall WIF 3.5 to see if the issue can be fixed. We can also try contacting the manufacturer/support of the Nessus product regarding this issue. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Thanks - I had a rescan done and the vulnerability came back again. Went ahead with the modification needed - just wrapping service path in registry with quotation marks. Seems to have been a harmless 'fix'. Closing this thread.