Title

The maximum number of requests an application pool can process must be set. (Cat II impact)

Discussion

A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.

Check Content

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the web site being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (number of requests) is enabled and the value is set to 35000 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix Text

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (number of requests) is enabled and the value is set to 35000 or less.

Additional Identifiers

Rule ID: SV-38132r2_rule

Vulnerability ID: V-13705

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.