Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The PercentUAllowed registry entry must be set properly.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-13720 | WA000-WI6092 IIS6 | SV-38166r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The PercentUAllowed key allows the web server to accept Unicode character syntax via ASCII (i.e., through the URL). Allowing this type of notation, opens the web server to encoding attacks. |
| STIG | Date |
|---|---|
| IIS6 Server | 2014-12-05 |
Details
| Check Text ( C-37547r1_chk ) |
|---|
| 1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the PercentUAllowed key is set to REG_DWORD 0. If the registry value is not set to 0 or is missing, this is a finding. |
| Fix Text (F-32793r1_fix) |
|---|
| 1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the PercentUAllowed key to REG_DWORD 0 or add the key and set it to REG_DWORD 0. |