The MaxFieldLength registry entry must be set properly.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-13717 | WA000-WI6086 IIS6 | SV-38163r2_rule | ECSC-1 | Medium |
| Description |
|---|
| By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size of any individual HTTP client request. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. Setting this value to high, when the application does not require it to operate, may cause performance problems as well as Denial of Service issues for the web server. |
| STIG | Date |
|---|---|
| IIS6 Server | 2015-06-01 |
Details
| Check Text ( C-37544r2_chk ) |
|---|
| 1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the MaxFieldLength key is REG_DWORD 16384 (or less). If the registry value is not set to 16384 (or less) or missing, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding. |
| Fix Text (F-32790r1_fix) |
|---|
| 1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the MaxFieldLength key to REG_DWORD 16384 (or less) or add the key and set it to REG_DWORD 16384. |