UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The MaxRequestEntityAllowed metabase value must be defined.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13723 WA000-WI6098 IIS6 SV-38047r2_rule ECSC-1 Medium
Description
IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and MaxAllowedContentLength settings configured in the UrlScan tool. The MaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of a request. If a Content-Length header is present and specifies an amount of data greater than the value of MaxRequestEntityAllowed, IIS sends a 403 error response.
STIG Date
IIS6 Site 2015-06-01

Details

Check Text ( C-37409r2_chk )
1. Open the MBSchema.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv)
2. Press CNTRL+F > Enter “MaxRequestEntityAllowed” > Select the Find Next button.
3. Ensure the Attributes attribute is set to INHERIT.
4. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv)
5. Press CNTRL+F > Enter Location= ‘’/LM/W3SVC’’ > Select Find Next.
6. In the search box now enter MaxRequestEntityAllowed > Check Match whole word only & Match case > Press Find Next.
7. Ensure the MaxRequestEntityAllowed attribute is present within the /LM/W3SVC key and set to 30000000 or less.

If the MaxRequestEntityAllowed attribute is not set to INHERIT, this is a finding.
If the MaxRequestEntityAllowed attribute is not found, this is a finding.
If the MaxRequestEntityAllowed attribute is not found within the /LM/W3SVC key, this is a finding.
If it is found and has a value greater than 30000000, this is a finding.

NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as not a finding.
Fix Text (F-32645r1_fix)
1. From the CLI navigate to the location of the adsutil.vbs script.
2. Enter the following: adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000
3. Press Enter.
4. Restart IIS.

NOTE: You may have to put cscript in front of the command adsutil.vbs (i.e. cscript adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000).