UCF STIG Viewer Logo

The PercentUAllowed registry entry must be set properly.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13720 WA000-WI6092 IIS6 SV-38166r1_rule ECSC-1 Medium
Description
Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The PercentUAllowed key allows the web server to accept Unicode character syntax via ASCII (i.e., through the URL). Allowing this type of notation, opens the web server to encoding attacks.
STIG Date
IIS6 Server 2015-06-01

Details

Check Text ( C-37547r1_chk )
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Ensure the value for the PercentUAllowed key is set to REG_DWORD 0.

If the registry value is not set to 0 or is missing, this is a finding.
Fix Text (F-32793r1_fix)
1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Set the value for the PercentUAllowed key to REG_DWORD 0 or add the key and set it to REG_DWORD 0.