Check: WA000-WI6098 IIS6
IIS6 Site:
WA000-WI6098 IIS6
(in version v6 r16)
Title
The MaxRequestEntityAllowed metabase value must be defined. (Cat II impact)
Discussion
IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and MaxAllowedContentLength settings configured in the UrlScan tool. The MaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of a request. If a Content-Length header is present and specifies an amount of data greater than the value of MaxRequestEntityAllowed, IIS sends a 403 error response.
Check Content
1. Open the MBSchema.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 2. Press CNTRL+F > Enter “MaxRequestEntityAllowed” > Select the Find Next button. 3. Ensure the Attributes attribute is set to INHERIT. 4. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 5. Press CNTRL+F > Enter Location= ‘’/LM/W3SVC’’ > Select Find Next. 6. In the search box now enter MaxRequestEntityAllowed > Check Match whole word only & Match case > Press Find Next. 7. Ensure the MaxRequestEntityAllowed attribute is present within the /LM/W3SVC key and set to 30000000 or less. If the MaxRequestEntityAllowed attribute is not set to INHERIT, this is a finding. If the MaxRequestEntityAllowed attribute is not found, this is a finding. If the MaxRequestEntityAllowed attribute is not found within the /LM/W3SVC key, this is a finding. If it is found and has a value greater than 30000000, this is a finding. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as not a finding.
Fix Text
1. From the CLI navigate to the location of the adsutil.vbs script. 2. Enter the following: adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000 3. Press Enter. 4. Restart IIS. NOTE: You may have to put cscript in front of the command adsutil.vbs (i.e. cscript adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000).
Additional Identifiers
Rule ID: SV-38047r2_rule
Vulnerability ID: V-13723
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |