UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The AllowRestrictedChars registry key must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13714 WA000-WI6080 IIS6 SV-38160r1_rule ECSC-1 Medium
Description
IIS6 Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. If the AllowRestrictedChars key is set to a nonzero value, Http.sys accepts hex-escaped chars in request URLs that decode to U+0000 – U+001F and U+007F – U+009F ranges. If this capability is enabled it allows malicious characters to be hex-encoded by an attacker in an attempt to bypass input validation routines.
STIG Date
IIS6 Server 2015-06-01

Details

Check Text ( C-37541r1_chk )
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Ensure the value for the AllowRestrictedChars key is set to REG_DWORD 0.

If the registry key is not set to 0 or does not exist, this is a finding.
Fix Text (F-32787r1_fix)
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Set the value for the AllowRestrictedChars key to REG_DWORD 0 or add the key and set it to REG_DWORD 0.