JSI Tip 4247. How do I limit the header size of the HTTP transmission that Microsoft Internet Information Services (IIS) will accept from a client?
October 21, 2001
Microsoft Knowledge Base Article 310156 contains the following summary:
This article describes how to limit the header size of the HTTP transmission that Microsoft Internet Information Services (IIS) will accept from a client. Recent exploits perpetrated against Microsoft Internet Information Server 4.0 and IIS 5.0 depend on the ability to send large amounts of data in the HTTP application-layer header. Examples of such exploits include the Code Red versions I and II worms. The abnormally large amount of information that is contained in the application-layer header may cause a buffer overflow and could potentially compromise the server.
Internet Information Server 4.0 and IIS 5.0 support a method to control the maximum size of the request line and header fields that are accepted by the Internet Information Server and IIS World Wide Web service.
The MaxClientRequestBuffer registry entry is used to limit the amount of data that is accepted in the Internet Information Server and IIS request buffer. This data includes all the information from the first byte of the request through the last byte before the body of the request. This includes the method, the URL, additional path information, the query string, the HTTP version, and all headers and characters that delimit all portions of the request.
The default client request buffer size for Internet Information Server 4.0 is 2 megabytes (MB). The default client request buffer for IIS 5.0 is 128 kilobytes (KB). The default client request buffer for IIS 5.0 Service Pack 4 (SP4) is 16 KB. IIS request buffer size may become the limiting factor for Kerberos authentication with large tokens if users are members of many groups. If a user does have a token that is too large for the IIS server, the client will receive the following in the client's Web browser:
HTTP 400 Bad Request (The data is invalid)
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base: 277741 Internet Explorer Logon Fails Due to an Insufficient Buffer for Kerberos280830 Kerberos Authentication May Not Work If User Is a Member of Many Groups
Read more about:
MicrosoftAbout the Author
You May Also Like