We are working toward the (near impossible) goal of having an error and warning free environment.
When running a BPA scan on our Remote Desktop Services servers we are getting the following:
Title:Grant a handler execute/script or write permissions, but not both
Severity
Error
Date:
7/15/2014 7:33:56 PM
Category:
Other
Problem:
The attribute 'accessPolicy' in the handlers section under path 'MACHINE/WEBROOT/APPHOST' is set to allow both Execute/Script and Write permissions.
Impact:
By allowing both Execute/Script and Write permissions, a handler can run malicious code on the target server.
Resolution
Determine if the handler requires both Execute/Script and Write permissions, and revoke the one that is not needed.
http://go.microsoft.com/fwlink/?LinkId=130708
The two servers we get this message on are only setup with the Remote Desktop Services role with RSWeb enabled. Applications have been configured as RemoteApps. These servers were built very recently and all services should be setup with the original system defaults.
We tried to follow the instructions in the article about editing the web.config or notepad administrationhost.config to revoke permissions, but there is no entry in there files for "handlers accessPolicy" as the instructions state I should find. I also checked the RDWeb folder in C:\Windows\Web\RDWeb and saw the web.config file in this location is also missing an entry called "handlers accessPolicy".
Anyone have a suggestion how to correct this? We would prefer not to exclude the result from BPA scans.