5.1 Security Considerations for Implementers

Authenticated RPC has to be used by this protocol, as specified in [C706] section 13.

The IIS IMSAdminBaseW Remote Protocol uses weak keys and cryptographic algorithms. The 512-bit RSA keys, 40-bit RC4, and MD5 hash are used to protect sensitive data. For more information, see section 3.1.4.1.1.

The IIS IMSAdminBaseW Remote Protocol includes secure session negotiation but does not provide support for server side authentication or for handling man in the middle (MITM) attacks. For more information, see section 3.1.4.1.1.

The RPC/DCOM packet privacy feature has to be used for more robust protection of the data transferred over the IIS IMSAdminBaseW Remote Protocol.<47>