WA000-WI6086 IIS6 - The MaxFieldLength registry entry must be set properly.

Information

By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size of any individual HTTP client request. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. Setting this value to high, when the application does not require it to operate, may cause performance problems as well as Denial of Service issues for the web server.

Solution

1. Open the registry editor.
2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Set the value for the MaxFieldLength key to REG_DWORD 16384 (or less) or add the key and set it to REG_DWORD 16384.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, Rule-ID|SV-38163r2_rule, STIG-ID|WA000-WI6086_IIS6, Vuln-ID|V-13717

Plugin: Windows

Control ID: 07b773dda2c8ba61f6b2dd09bcf61a79988c9c519c28e1cc4bc6bb17d56222fb