Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-218756	IIST-SI-000228	SV-218756r558649_rule		Medium

Description
Setting limits on web requests ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.

STIG	Date
Microsoft IIS 10.0 Site Security Technical Implementation Guide	2021-06-23

Details

Check Text ( C-20229r311166_chk )
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "Request Filtering" icon. Click "Edit Feature Settings" in the "Actions" pane. If the "Allow high-bit characters" check box is checked, this is a finding. Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.

Check Text ( C-20229r311166_chk )

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Double-click the "Request Filtering" icon.

Click "Edit Feature Settings" in the "Actions" pane.

If the "Allow high-bit characters" check box is checked, this is a finding.

Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.

Fix Text (F-20227r311167_fix)
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. Double-click the "Request Filtering" icon. Click "Edit Feature Settings" in the "Actions" pane. Uncheck the "Allow high-bit characters" check box.