UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The MaxFieldLength registry entry must be set properly.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13717 WA000-WI6086 IIS6 SV-38163r2_rule ECSC-1 Medium
Description
By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size of any individual HTTP client request. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. Setting this value to high, when the application does not require it to operate, may cause performance problems as well as Denial of Service issues for the web server.
STIG Date
IIS6 Server 2015-06-01

Details

Check Text ( C-37544r2_chk )
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Ensure the value for the MaxFieldLength key is REG_DWORD 16384 (or less).
If the registry value is not set to 16384 (or less) or missing, this is a finding.

NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.
Fix Text (F-32790r1_fix)
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Set the value for the MaxFieldLength key to REG_DWORD 16384 (or less) or add the key and set it to REG_DWORD 16384.