UCF STIG Viewer Logo

The IIS 10.0 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests.


Overview

Finding ID Version Rule ID IA Controls Severity
V-218826 IIST-SV-000200 SV-218826r561041_rule Medium
Description
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a Denial of Service (DoS) attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive (i.e., a parameter used to limit the amount of time a connection may be inactive).
STIG Date
Microsoft IIS 10.0 Server Security Technical Implementation Guide 2022-06-17

Details

Check Text ( C-20298r310953_chk )
Access the IIS 10.0 IIS Manager.

Click the IIS 10.0 server.

Select "Configuration Editor" under the "Management" section.

From the "Section:" drop-down list at the top of the configuration editor, locate "system.applicationHost/sites".

Expand "siteDefaults".
Expand "limits".

Review the results and verify the value is greater than zero for the "maxconnections" parameter.

If the maxconnections parameter is set to zero, this is a finding.
Fix Text (F-20296r310954_fix)
Access the IIS 10.0 IIS Manager.

Click the IIS 10.0 server.

Select "Configuration Editor" under the "Management" section.

From the "Section:" drop-down list at the top of the configuration editor, locate "system.applicationHost/sites".

Expand "siteDefaults".
Expand "limits".

Set the "maxconnections" parameter to a value greater than zero.