Title

The IIS 8.5 MaxConnections setting must be configured to limit the number of allowed simultaneous session requests. (Cat II impact)

Discussion

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive (i.e., a parameter used to limit the amount of time a connection may be inactive).

Check Content

Access the IIS 8.5 IIS Manager. Click the IIS 8.5 server. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.applicationHost/sites". Expand "siteDefaults". Expand "limits". Review the results and verify the value is greater than zero for the "maxconnections" parameter. If the maxconnections parameter is set to zero, this is a finding.

Fix Text

Access the IIS 8.5 IIS Manager. Click the IIS 8.5 server. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.applicationHost/sites". Expand "siteDefaults". Expand "limits". Set the "maxconnections" parameter to a value greater than zero.

Additional Identifiers

Rule ID: SV-214442r879511_rule

Vulnerability ID: V-214442

Group Title: SRG-APP-000001-WSR-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.