WA000-WI6098 IIS6 - The MaxRequestEntityAllowed metabase value must be defined. - 'IisWebServerSetting'

Information

IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and MaxAllowedContentLength settings configured in the UrlScan tool.

The MaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of a request. If a Content-Length header is present and specifies an amount of data greater than the value of MaxRequestEntityAllowed, IIS sends a 403 error response.

Solution

1. From the CLI navigate to the location of the adsutil.vbs script.
2. Enter the following: adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000
3. Press Enter.
4. Restart IIS.

NOTE: You may have to put cscript in front of the command adsutil.vbs (i.e. cscript adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000).

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, Rule-ID|SV-38047r2_rule, STIG-ID|WA000-WI6098_IIS6, Vuln-ID|V-13723

Plugin: Windows

Control ID: bfc535657f613d7f1b903fcffd60c673ac5d3f71ef834a75fec8a5ef230af33b