Best IT Recipes

Are Windows Server 2012 R2 and IIS affected by Heartbleed?

"OpenSSL 1.01 - affected one production version - has been shipping since March 12, 2012."

Does this (above) mean that the Windows 2012 R2 server that we ordered a month ago, now working with HTTPS sites in IIS, is vulnerable to Heartbleed attacks?



I read a post that suggests checking if your server is vulnerable using this site http://filippo.io/Heartbleed/ , but it is probably taking a ton of hits right now, as it is not responding.

+46
ssl iis openssl windows-server-2012 heartbleed-bug
Apr 08 '14 at
source share
2 answers

IIS is not vulnerable since it does not use the OpenSSL library

Update, quote from Troy Hunt:

Not all web servers depend on OpenSSL. For example, IIS uses a Microsoft SCanelel implementation that is not at risk of this error. Does this mean that sites on IIS are not vulnerable to Heartbleed? For the most part, yes, but not too cheeky, because OpenSSL may still be present in the server farm.

More details here - http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

Update 2:

Microsoft blog post on IIS and Heartbleed: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx

+94
Apr 09
source share

I just used http://filippo.io/Heartbleed/ to crawl the website that we host in Win 2008 IIS7. - SSL ends directly on the Windows server (without a load balancer with SSL offload between them) - it is considered vulnerable. Similar tests of sites hosted on Win 2012 with IIS8 do not have the same result (they do not appear as vulnerable).

Edit (added link to MS forum): http://social.technet.microsoft.com/Forums/en-US/93a24775-6f62-4690-8c86-3652b74c1b4f/openssl-vulnerability?forum=Forefrontedgegeneral

+7
Apr 09 '14 at 3:58
source share


More articles:


All Articles