4.2 Ensure 'maxURL request filter' is configured - Applications

Information

The maxURL attribute of the <requestLimits> property is the maximum length (in Bytes) in which a requested URL can be (excluding query string) in order for IIS to accept. Configuring this Request Filter enables administrators to restrict the length of the requests that the server will accept.

It is recommended that a limit be put on the length of URL.

Rationale:

With a properly configured Request Filter limiting the amount of data accepted in the URL, chances of undesired application behaviors affecting the availability of content and services are reduced.

Impact:

Length of the URL will be restricted to the maximum value set.

Solution

The MaxURL Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:

Open Internet Information Services (IIS) Manager

In the Connections pane, click on the connection, site, application, or directory to be configured

In the Home pane, double-click Request Filtering

Click Edit Feature Settings... in the Actions pane

Under the Request Limits section, key the maximum URL length in bytes that has been tested with web applications

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /requestLimits.maxURL:4096

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/requestFiltering/requestLimits' -name 'maxUrl' -value 4096

Default Value:

When Request Filtering is installed on a system, the default value for maxURL='4096'.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-8, CSCv7|18

Plugin: Windows

Control ID: 3ae9e565ef91c74a8f89758599d14c7c0b47266fd43c6e743f2a89f0971511de