Details

The maxURL attribute of the property is the maximum length (in Bytes) in which a requested URL can be (excluding query string) in order for IIS to accept. Configuring this Request Filter enables administrators to restrict the length of the requests that the server will accept. It is recommended that a limit be put on the length of URL.

With a properly configured Request Filter limiting the amount of data accepted in the URL, chances of undesired application behaviors affecting the availability of content and services are reduced.

NOTE: Please update MAX_URL with the appropriate value for the local environment.

Solution

The MaxURL Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:
1. Open Internet Information Services (IIS) Manager
2. In the Connections pane, click on the connection, site, application, or directory to be configured
3. In the Home pane, double-click Request Filtering
4. Click Edit Feature Settings… in the Actions pane
5. Under the Request Limits section, key the maximum URL length in bytes that has been tested with web applications

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/166

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.

References

• 800-53|SI-10

Source

• Tenable.com/audits