IIST-SI-000227 – The IIS 10.0 websites Maximum Query String limit must be configured.

Details

Setting limits on web requests helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter describes the upper limit on allowable query string lengths. Upon exceeding the configured value, IIS will generate a Status Code 404.15.

Solution

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name under review.

Double-click the ‘Request Filtering’ icon.

Click ‘Edit Feature Settings’ in the ‘Actions’ pane.

Set the ‘Maximum Query String’ value to ‘2048’ or less.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y20M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

800-53|SC-5(1)
CAT|II
CCI|CCI-001094
Rule-ID|SV-218755r558649_rule
STIG-ID|IIST-SI-000227
STIG-Legacy|SV-109335
STIG-Legacy|V-100231
Vuln-ID|V-218755

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles