To make this information readable, I will put just the heading info in here, and not the full details.

Microsoft IIS ISM.DLL HTR Request Remote Overflow
This is related to mappings for .HTR, .STM, and .IDC files. By default, we don't have .htr mapped for security. Contact support to have mappings for .stm and .idc removed if you are not using these extensions. The use of .stm is rare and the use of .idc is almost unheard of. We will be removing the .idc mapping from the servers shortly by default.

IIS Authorization Method Disclosed
07/01/08
CVE 2002-0419
IIS is vulnerable to information gathering as to which form of authentication is being
used due to the results of attempted connections with incorrect user ids and passwords.
**Contact support with your domain name and request All Authentication options to be unchecked for your domain.

FTP Server Remote Buffer Overflow
10/13/09 CVE 2009-2521 CVE 2009-3023 Two vulnerabilities exist in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0.
**False Positive. This is related to patch KB 975254 which is installed.

File change notification privilege elevation
02/14/08 CVE 2008-0074 IIS is vulnerable in the way that it handles file change notifications in the FTPRoot, NNTPFile\Root, and WWWRoot folders. A local attacker would have to be able to create or modify a file in one of these directories. A remote attacker would have to be able to upload a script to an affected IIS server, and be able to run the script. This uploaded script would need write access to the FTPRoot, NNTPFile\Root, or WWWRoot folders. An attacker who successfully exploits this vulnerability could execute arbitrary code in the context of local system. Unpatched versions of IIS are vulnerable on: Windows 2000 with IIS web server, FTP or NNTP services enabled; Windows XP with IIS web server or FTP services enabled; Windows Server 2003 with FTP or NNTP services enabled; and Vista with FTP service enabled.
**False Positive. Related to KB 975254 referenced above.


FTP Services - 110086 - TCP 21 - WU-FTPD QUOTE PASV Forced Core Dump Information Disclosure
The suggested solution is: Upgrade your FTP server to the latest version.
This is a false positive, as we do have the FTP server upgraded to the latest version on all of the servers. One scanner wanted more detail, so I will include that here:
"OS: Depending on the server, it will be either Windows Server 2008 SP2 or Windows Server 2003 SP2, with all current security updates. The version of FTP is IIS 7.5 for Windows 2008 or IIS 6.0 for Windows 2003 SP2. We do not run WU-FTPD on any of our servers, which is referenced by Threat 110086".


Web Services - 131657 - TCP 80 - Web Server Uses Non Random Session IDs
Generally related to ColdFusion sites. The solution can be found here.

ASP Upload Command Execution
07/12/06 CVE 2006-0026 IIS 5.0, 5.1, and 6.0 are affected by a buffer overflow when processing ASP files. A remote attacker could execute arbitrary commands by uploading a specially crafted ASP file onto the web server, and then causing IIS to process it. An attacker would need to have valid login credentials in order to exploit this vulnerability unless the web server has been configured to allow anonymous uploads to the web site.
**False Positive: This is related to patch KB 917537 and also is not applicable to Windows Server 2003

Web Services - 500033 - TCP 443 - Possible Vulnerabilities in IIS 5
This is a false positive, as we do not run IIS 5 on any of our servers. Your PCI scanning company should be able to determine this and not report this to you.


Multiple Vulnerabilities in IIS 4.0 - 5.1
This is a false positive, as we do not run IIS 4 nor IIS5 on any of our servers. Your PCI scanning company should be able to determine this and not report this to you.


Cross-Site Scripting
This is something you need to fix in your code. Basically you need to sanitize your form input when using it after the form is submitted. You need to remove any of the following characters minimally:
% ( ) = < >

Here is a sample of how to do this, based on ASP. I would suggest placing this function in an include page:
Code:
Function CleanFormInput(aField)
  aTempField = Replace(aField, "<", "")
  aTempField = Replace(aTempField, ">", "")
  aTempField = Replace(aTempField, "%", "")
  aTempField = Replace(aTempField, "=", "")
  aTempField = Replace(aTempField, "(", "")
  aTempField = Replace(aTempField, ")", "")
  aTempField = Replace(aTempField, "'", "")
  aTempField = Replace(aTempField, "|", "")
  aTempField = Replace(aTempField, ";", "")
  aTempField = Replace(aTempField, "-", "")
  aTempField = Replace(aTempField, """", "")
  CleanFormInput = aTempField
End Function
Then in your code where you are processing the input you could do something like (after including the include file mentioned above):
Code:
aCleanVar = CleanFormInput(Request("myFormField"))
Details: A cookie without the HTTPOnly attribute could be
susceptible to theft by cross-site scripting attacks.
** See this link for the fix to this issue.