Microsoft Security Advisory 2416728, the ASP.NET Vulnerability, and Exchange Server

1. Rename C:Program FilesMicrosoftExchange ServerClientAccessowaautherror.aspx

to   error.bak.aspx

2. Paste contents of error2.aspx as listed here

http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

into a new version of C:Program FilesMicrosoftExchange ServerClientAccessowaautherror.aspx

3. Add a new web.config (probably doesn't exist) at your website root.  In our case:

C:Program FilesMicrosoftExchange ServerClientAccessweb.config

Containing

view plaincopy to clipboardprint?

01.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>  

02.<configuration>  

03.  <system.web>  

04.    <customErrors mode="On" defaultRedirect="/owa/auth/error.aspx" />  

05.  </system.web>  

06.</configuration>  

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<configuration>

 <system.web>

   <customErrors mode="On" defaultRedirect="/owa/auth/error.aspx" />

 </system.web>

</configuration>

This will then be used by other child virtual directories that don't override the customErrors element.

4. Optional:  our /ews/web.config had an overriding customErrors that redirected to a (non-existent) GenericErrorPage.htm.

http://forums.asp.net/p/1604596/4090614.aspx#4090614