We're trying to pass PCI compliance on a few of our websites. After an outside scan, we still have this vulnerability:
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs.
How do we remedy this in IIS?
Thanks
We needed to UNCHECK "Integrated Windows Authentication" in the site's IIS properties:
I rescanned after making this change and we passed compliance.