IIST-SI-000228 – Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.

Details

Setting limits on web requests ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.

Solution

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name under review.

Double-click the ‘Request Filtering’ icon.

Click ‘Edit Feature Settings’ in the ‘Actions’ pane.

Uncheck the ‘Allow high-bit characters’ check box.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y20M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

800-53|SC-5(1)
CAT|II
CCI|CCI-001094
Rule-ID|SV-218756r558649_rule
STIG-ID|IIST-SI-000228
STIG-Legacy|SV-109337
STIG-Legacy|V-100233
Vuln-ID|V-218756

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles