Detections
Analytics
WA000-WI6080 IIS6 - The AllowRestrictedChars registry key must be disabled.
Information
IIS6 Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. If the AllowRestrictedChars key is set to a nonzero value, Http.sys accepts hex-escaped chars in request URLs that decode to U+0000 - U+001F and U+007F - U+009F ranges. If this capability is enabled it allows malicious characters to be hex-encoded by an attacker in an attempt to bypass input validation routines.Solution
1. Open the registry editor.2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
3. Set the value for the AllowRestrictedChars key to REG_DWORD 0 or add the key and set it to REG_DWORD 0.
See Also
http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip
Item Details
Audit Name: DISA STIG IIS 6.0 Server v6r16
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-10, CAT|II, Rule-ID|SV-38160r1_rule, STIG-ID|WA000-WI6080_IIS6, Vuln-ID|V-13714
Plugin: Windows
Control ID: 1f56d15ff8d7af78dabc3c0fe8a7439f0234991d6d1a52c05c7010a562f4e9ee