Limit Buffer Size on IIS

If you read theWin2KSecurity Advice mailing list, you know that Marc (from the eEye Digital Security Team) recently pointed out that a new Microsoft Support Online article (Q260694) reveals a useful security configuration setting within IIS.

If you run IIS on Windows NT with Service Pack 5 (SP5) or later, you should take advantage of a new Registry key, MaxClientRequestBuffer. The key lets a user set a maximum limit for the cumulative size (in bytes) of the URL request line and header fields sent in a request to IIS.

In IIS 4.0, the default maximum size of request line and header fields is 2MB, and in IIS 5.0, the size is only 128KB. By taking advantage of the larger size on IIS 4.0, an attacker could launch Denial of Service (DoS) attacks against the server by repeatedly consuming large amounts of server memory. By adjusting the Registry, administrators can control that size to reduce the chance of successful attacks.

Be sure to read Support Online article Q260694 for complete details about the Registry key, and also read security bulletin MS00-023 to learn how excessively large buffers can lead to DoS attacks against your servers.