The FavorUTF8 registry key must be set properly.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13716	WA000-WI6084 IIS6	SV-38162r1_rule	ECSC-1	Medium

Description
Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The FavorUTF8 registry key allows URLs to be decoded as UTF-8 before any other encoding. Overlong encoding forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done. To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.

Description

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The FavorUTF8 registry key allows URLs to be decoded as UTF-8 before any other encoding. Overlong encoding forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done. To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.

STIG	Date
IIS6 Server	2011-09-26

Details

Check Text ( C-37543r1_chk )
To verify this setting, use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters FavorUTF8 REG_DWORD 1 If the registry value is not set to 1, this is a finding. NOTE: If check WA000-WI6082 is set correctly to 0, this registry key is optional and would not be a finding if it is not present.

Fix Text (F-32789r1_fix)
Use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Set the " FavorUTF8" key to REG_DWORD 1, add the key if it does not exist.