Information
The MaxQueryString Request Filter describes the upper limit on the length of the query string that the configured IIS server will allow for websites or applications.
It is recommended that values always be established to limit the amount of data that can be accepted in the query string.
Rationale:
With a properly configured Request Filter limiting the amount of data accepted in the query string, chances of undesired application behaviors such as app pool failures are reduced.
Impact:
The amount of data to be accepted in the query string will be limited.
Solution
The MaxQueryString Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:
Open Internet Information Services (IIS) Manager
In the Connections pane, go to the connection, site, application, or directory to be configured
In the Home pane, double-click Request Filtering
Click Edit Feature Settings... in the Actions pane
Under the Request Limits section, key in a safe upper bound in the Maximum query string (Bytes) textbox
Enter the following command in AppCmd.exe to configure:
%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /requestLimits.maxQueryString:2048
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/requestFiltering/requestLimits' -name 'maxQueryString' -value 2048
Default Value:
When request filtering is installed on a system, the default value is maxQueryString='2048'.