STIGQter: STIG Summary: Microsoft IIS 8.5 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured.

DISA Rule

SV-214489r508659_rule

Vulnerability Number

V-214489

Group Title

SRG-APP-000516-WSR-000174

Rule Version

IISW-SI-000256

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Open the IIS 8.5 Manager.

Click the “Application Pools”.

Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane.

Scroll down to the “General” section and set the value for “Queue Length” to “1000” or less.

Click “OK”.

Check Contents

Open the IIS 8.5 Manager.

Perform for each Application Pool.

Click the “Application Pools”.

Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane.

Scroll down to the "General" section and verify the value for "Queue Length" is set to 1000.

If the "Queue Length" is set to "1000" or less, this is not a finding.

Vulnerability Number

V-214489

Documentable

False

Rule Version

IISW-SI-000256

Severity Override Guidance

Open the IIS 8.5 Manager.

Perform for each Application Pool.

Click the “Application Pools”.

Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane.

Scroll down to the "General" section and verify the value for "Queue Length" is set to 1000.

If the "Queue Length" is set to "1000" or less, this is not a finding.

Check Content Reference

M

Target Key

4001

Comments