UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website.


Overview

Finding ID Version Rule ID IA Controls Severity
V-76823 IISW-SI-000228 SV-91519r1_rule Medium
Description
By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.
STIG Date
IIS 8.5 Site Security Technical Implementation Guide 2018-04-06

Details

Check Text ( C-76479r1_chk )
Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click on the site name.

Double-click the "Request Filtering" icon.

Click “Edit Feature Settings” in the "Actions" pane.

If the "Allow high-bit characters" check box is checked, this is a finding.
Fix Text (F-83519r1_fix)
Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Double-click the "Request Filtering" icon.

Click “Edit Feature Settings” in the "Actions" pane.

Uncheck the "Allow high-bit characters" check box.