UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The UrlSegmentMaxCount registry entry must be set properly.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13722 WA000-WI6096 IIS6 SV-38168r1_rule ECSC-1 Medium
Description
Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxCount value determines the maximum number of URL path segments accepted by the server. It effectively limits the number of slashes that can be included by the user in a request URL. It is recommended to set fairly stringent limits on this value based on the depth of the web document root tree to protect the server from a file system traversal attack.
STIG Date
IIS6 Server 2011-09-26

Details

Check Text ( C-37549r1_chk )
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Set the value for the UrlSegmentMaxCount key is set to REG_DWORD 255 (or less).
If the registry value is not set to 255 (or less) or is missing, this is a finding.
Fix Text (F-32795r1_fix)
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Set the value for the UrlSegmentMaxCount key to REG_DWORD 255 (or less) or add the key and set it to REG_DWORD 255.