UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The MaxRequestBytes registry entry must be set properly.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13718 WA000-WI6088 IIS6 SV-38164r1_rule ECSC-1 Medium
Description
Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The MaxRequestBytes registry key determines the upper limit for the total size of the HTTP request line and headers. If this value is set too high, performance or Denial of Service conditions may appear.
STIG Date
IIS6 Server 2011-09-26

Details

Check Text ( C-37545r1_chk )
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Ensure the value for the MaxRequestBytes key is set to REG_DWORD 16384 (or less).
If the registry key is not set to 16384 (or less) or is missing, this is a finding.

NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.
Fix Text (F-32791r1_fix)
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Set the value for the MaxRequestBytes key to REG_DWORD 16384 (or less) or add the key and set it to REG_DWORD 16384.