Title

The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured. (Cat II impact)

Discussion

In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the application pool.

Check Content

If this IIS 8.5 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable. Open the IIS 8.5 Manager. Perform for each Application Pool. Click the "Application Pools". Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "General" section and verify the value for "Queue Length" is set to 1000. If the "Queue Length" is set to "1000" or less, this is not a finding.

Fix Text

Open the IIS 8.5 Manager. Click the "Application Pools". Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. Scroll down to the "General" section and set the value for "Queue Length" to "1000" or less. Click "OK".

Additional Identifiers

Rule ID: SV-214489r879887_rule

Vulnerability ID: V-214489

Group Title: SRG-APP-000516-WSR-000174

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.