locked
Exchange 2003 SP2 - Upgrade .NET 1.1 to .NET 3.5 SP1 RRS feed

  • Question

  • Hi,

    We are migrating from Exchange 2003 to 2010, but in the meantime we have regular outsourced audits on our OWA2003 servers for compliance with a group of audit requirements.

    The reports are indicating that the OWA 2003 front end servers have a flaw that is related to the version of .NET that we are running which is .NET 1.1.

    The report indicates that we have fix the problem either by upgrading .NET which we can't because any release over 1.1 is not supported by Exchange 2003 SP2.

    Has anoyone tried to run Exchange 2003 SP2 with .NET 2.0 and above? If so, how do proceed to install/upgrade .NET on the Exchange servers? In other words installing .NET will not remove the old version and as I far as I know the new .NET has to be register with the application that uses it.

    Could someone please let me know the steps that I need to follow in order to get this done in Exchange 2003 SP2?     
    Tuesday, May 15, 2012 2:56 PM

Answers

  • The only way to upgrade is to upgrade the versions of Exchange and Windows.

    Both Windows 2003 and Exchange 2003 are well past their supported date, so if you must pass that test then you will have to speed up the migration to remove the Exchange 2003 server from production.

    Although if this is the flaw I am thinking of, then it has been around since 2005, it isn't anything new.

    Simon. 


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by post Wednesday, May 16, 2012 11:23 PM
    Tuesday, May 15, 2012 5:58 PM

All replies

  • .net Framework 1.1 and 2.0 are not really upgrades. 2.0 is not backwards compatible to 1.1. 3.5 is backwards compatible to 2.0. They can be considered two completely separate applications.

    Therefore installing netframework 2.0 or higher on to Exchange 2003 is not going to make any difference to the audit, because Exchange will not use it. It wouldn't surprise me if 2.0 or a higher version was already installed.

    I cannot comment on the audit as you haven't stated any of the details of it. However I am not really a fan of these automated audits because they fail to take in to account the real world risk.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Tuesday, May 15, 2012 3:57 PM
  • Hi,

    Acording to their report which I have attached below. The flaw affects .NET 1.0 and 1.1 you have to upgrade to other release which you can go to .NET 2.0, etc. or you implement a workaround that will be the use only Unicode codepage for output on ASP.Net pages which I have no idea what that means, how to implement/revert in case or failure or if this is going to even work.

    What are my options?

    ----------------------------------------------------------------------------------------------------------------

    THREAT:
    ASP.NET is a Web application framework developed by Microsoft.

    ASP.NET Web sites are vulnerable to cross-site scripting attacks. The problem arises from the lack of a filtration of special HTML characters in
    range U+ff00-U+ff60 (fullwidth ASCII characters). An attacker could exploit this vulnerability when Unicode strings are converted to national ASCII codepages.
    Affected Versions:
    ASP .NET Framework 1.0 and 1.1 are affected
    IMPACT:
    Exploitation could allow an attacker to execute arbitrary script code.
    SOLUTION:
    There are no vendor supplied patches available. However, .NET Framework should be updated to the latest available version.
    Refer to ASP .NET XSS for further information.
    Workaround:
    Use only Unicode codepage for output on ASP.Net pages

    < CONFIGURATION>
    < SYSTEM.WEB>
    < GLOBALIZATION RESPONSEENCODING="utf-8"></GLOBALIZATION>
    < /SYSTEM.WEB>
    < /CONFIGURATION>

    RESULT:
    < html>
    < head>
    < title>The resource cannot be found.</title>
    < style>
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
    p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
    b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
    H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
    H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
    pre {font-family:"Lucida Console";font-size: .9em}
    .marker {font-weight: bold; color: black;text-decoration: none;}
    .version {color: gray;}
    .error {margin-bottom: 10px;}
    .expandable { text-decoration:underline;font-weight:bold; color:navy; cursor:hand; }
    < /style>
    < /head>
    < body bgcolor="white">
    < span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>
    The resource cannot be found. </span>
    < font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

    Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or
    is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

    Requested Url: /FileN0tEx15T.aspx

    < /body>
    < /html>                          

    Tuesday, May 15, 2012 5:29 PM
  • My owa 2003 servers are using .NET 1.1 Device Update 4.0. I have just verified with the auditors and this is what is coming back as the flaw. Is there any way to upgrade to something else than .NET 1.1?
    Tuesday, May 15, 2012 5:34 PM
  • The only way to upgrade is to upgrade the versions of Exchange and Windows.

    Both Windows 2003 and Exchange 2003 are well past their supported date, so if you must pass that test then you will have to speed up the migration to remove the Exchange 2003 server from production.

    Although if this is the flaw I am thinking of, then it has been around since 2005, it isn't anything new.

    Simon. 


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by post Wednesday, May 16, 2012 11:23 PM
    Tuesday, May 15, 2012 5:58 PM
  • So Exchange 2003 SP2 requires .NET 1.1 in order to work. There is no way to remove .NET 1.1 from the system install something above 1.1 and have Exchange 2003 fully work with it. Am I understanding this correctly?

    Also do you have any idea what the work around means? Or if this is something that can be implemented?

    • Edited by post Tuesday, May 15, 2012 7:22 PM
    Tuesday, May 15, 2012 6:07 PM