The UrlSegmentMaxLength registry entry must be set properly.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-13719 | WA000-WI6090 IIS6 | SV-38165r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxLength key sets the maximum number of characters in a URL path segment (the area between the slashes in the URL). Setting this value too large may cause performance or a Denial of Service condition on the web server. |
| STIG | Date |
|---|---|
| IIS6 Server | 2015-06-01 |
Details
| Check Text ( C-37546r1_chk ) |
|---|
| 1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the UrlSegmentMaxLength key is set to REG_DWORD 260 (or less). If the registry key is not set to 260 (or less) or is missing, this is a finding. |
| Fix Text (F-32792r1_fix) |
|---|
| 1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UrlSegmentMaxLength key to REG_DWORD 260 (or less) or add the key and set it to REG_DWORD 260. |