Detections
Analytics
IISW-SV-000200 - The IIS 8.5 MaxConnections setting must be configured to limit the number of allowed simultaneous session requests.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive (i.e., a parameter used to limit the amount of time a connection may be inactive).Solution
Access the IIS 8.5 IIS Manager.Click the IIS 8.5 server.
Select 'Configuration Editor' under the 'Management' section.
From the 'Section:' drop-down list at the top of the configuration editor, locate 'system.applicationHost/sites'.
Expand 'siteDefaults'.
Expand 'limits'.
Set the 'maxconnections' parameter to a value greater than zero.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_8-5_Y23M04_STIG.zip
Item Details
Audit Name: DISA IIS 8.5 Server v2r6
References: CAT|II, CCI|CCI-000054, Rule-ID|SV-214442r879511_rule, STIG-ID|IISW-SV-000200, STIG-Legacy|SV-104771, STIG-Legacy|V-95633, Vuln-ID|V-214442
Plugin: Windows
Control ID: a5ac1cbe59f39bedf2fd9b95f6fa4820b38842cdae0542eb7b863a96a39c94e4