4.3 Ensure 'MaxQueryString request filter' is configured - Default

Information

The MaxQueryString Request Filter describes the upper limit on the length of the query string that the configured IIS server will allow for websites or applications.

It is recommended that values always be established to limit the amount of data that can be accepted in the query string.

Rationale:

With a properly configured Request Filter limiting the amount of data accepted in the query string, chances of undesired application behaviors such as app pool failures are reduced.

Impact:

The amount of data to be accepted in the query string will be limited.

Solution

The MaxQueryString Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:

Open Internet Information Services (IIS) Manager

In the Connections pane, go to the connection, site, application, or directory to be configured

In the Home pane, double-click Request Filtering

Click Edit Feature Settings... in the Actions pane

Under the Request Limits section, key in a safe upper bound in the Maximum query string (Bytes) textbox

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /requestLimits.maxQueryString:2048

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/requestFiltering/requestLimits' -name 'maxQueryString' -value 2048

Default Value:

When request filtering is installed on a system, the default value is maxQueryString='2048'.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-8, CSCv7|18

Plugin: Windows

Control ID: f9cf909c74c0d1555f54df4061118e3873ba175bf86a9486580dd4ee5ff738db