Details
The MaxQueryString Request Filter describes the upper limit on the length of the query string that the configured IIS server will allow for websites or applications. It is recommended that values always be established to limit the amount of data will can be accepted in the query string.
With a properly configured Request Filter limiting the amount of data accepted in the query string, chances of undesired application behaviors such as app pool failures are reduced.
Solution
The MaxQueryString Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:
1. Open Internet Information Services (IIS) Manager
2. In the Connections pane, go to the connection, site, application, or directory to be configured
3. In the Home pane, double-click Request Filtering
4. Click Edit Feature Settings… in the Actions pane
5. Under the Request Limits section, key in a safe upper bound in the Maximum query string (Bytes) textbox
To set this Request Filter using an AppCmd.exe command, run the following command at an elevated command prompt: %systemroot%system32inetsrvappcmd set config /section:requestfiltering /requestLimits.maxQueryString:2048
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.