How to limit the header size of the HTTP transmission that IIS accepts from a client in Windows 2000

Article translations Article translations
Article ID: 310156 - View products that this article applies to.
This article was previously published under Q310156
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1
Expand all | Collapse all

On This Page

SUMMARY

This article describes how to limit the header size of the HTTP transmission that Microsoft Internet Information Services (IIS) will accept from a client. Recent exploits perpetrated against Microsoft Internet Information Server 4.0 and IIS 5.0 depend on the ability to send large amounts of data in the HTTP application-layer header. Examples of such exploits include the Code Red versions I and II worms. The abnormally large amount of information that is contained in the application-layer header may cause a buffer overflow and could potentially compromise the server.

Internet Information Server 4.0 and IIS 5.0 support a method to control the maximum size of the request line and header fields that are accepted by the Internet Information Server and IIS World Wide Web service.

The MaxClientRequestBuffer registry entry is used to limit the amount of data that is accepted in the Internet Information Server and IIS request buffer. This data includes all the information from the first byte of the request through the last byte before the body of the request. This includes the method, the URL, additional path information, the query string, the HTTP version, and all headers and characters that delimit all portions of the request.

The default client request buffer size for Internet Information Server 4.0 is 2 megabytes (MB). The default client request buffer for IIS 5.0 is 128 kilobytes (KB). The default client request buffer for IIS 5.0 Service Pack 4 (SP4) is 16 KB. IIS request buffer size may become the limiting factor for Kerberos authentication with large tokens if users are members of many groups. If a user does have a token that is too large for the IIS server, the client will receive the following in the client's Web browser:
HTTP 400 Bad Request (The data is invalid)
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
277741 Internet Explorer logon fails due to an insufficient buffer for Kerberos

Adding the MaxClientRequestBuffer Value to the Registry

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
NOTE: See the "Troubleshooting" section of this article before you follow these steps.
  1. Click Start, click Run, type regedt32, and then press ENTER.
  2. In Registry Editor, locate and click the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type MaxClientRequestBuffer over the New Value #1 entry.
  5. Double-click the MaxClientRequestBuffer value.
  6. In the Edit DWORD Value dialog box, click Decimal in the Base area. In the Value data box, type the byte value that you want to allow to be buffered. Click OK.
  7. Quit Registry Editor.
  8. Restart the Web Publishing service for the changes to take effect.

Troubleshooting


The limit that is set by the MaxClientRequestBuffer registry value is not extremely precise. You may need to experiment with different values to get the results you require. This is especially important because this setting can effect ISAPI filters.




REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
255574 Internet Information Services reports an error with filters that use the SF_STATUS_REQ_READ_NEXT return value

Properties

Article ID: 310156 - Last Review: July 3, 2008 - Revision: 6.0
APPLIES TO
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Server 4.0
Keywords: 
kbhowtomaster KB310156

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com