I have a Server 2003 Ent 64bit with Exchange2007 SP3. This server have enable the OWA services, so during PCI compliance test appears the above indication.
We have communicate with Microsoft, in order to provide correct actions to pass PCI compliance test, but until now all actions have been fail, due to OWA service. (OWA of Exc2007 cannot work if we try to upgrade the .Net Framework to ver 4 -64 bit).
Also on other sections I have read comments for OWA, which is an application which don't have Cross-Site Scripting capabilities.
What proofs needed to provide in order to have a False Positive exception for our Exchange Server and OWA as Web Application?