Virtual machine credential information is transmitted to IIS without encryption in Virtual Server 2005 (840603)


The information in this article applies to:

  • Microsoft Virtual Server 2005

SYMPTOMS

When you configure the credentials to run a virtual machine in Microsoft Virtual Server 2005, those credentials are submitted to Microsoft Internet Information Services (IIS) without encryption (in plain text). If you perform this action by using a remote connection to the Virtual Server computer, a malicious user could obtain these credentials.

CAUSE

This issue occurs because the Virtual Server Web application transfers the user name and password information to the IIS Server computer in clear text.

WORKAROUND

To work around this issue, Microsoft recommends that you configure the Virtual Server Web site in IIS to use Secure Sockets Layer (SSL) for communications.

MORE INFORMATION

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

290625 How to configure SSL in a Windows 2000 IIS 5.0 test environment by using Certificate Server 2.0

For additional information about how to deploy IIS 6.0, download the Windows Server 2003 Deployment Kit: Deploying Internet Information Services (IIS) 6.0. To obtain this guide, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=F31A5FD5-03DB-46D2-9F34-596EDD039EB9&displaylang=en

Modification Type:MinorLast Reviewed:11/16/2004
Keywords:kbenv kbprb KB840603 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.