DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 260694 - Last Review: July 7, 2008 - Revision: 5.3

This article was previously published under Q260694
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1 (http://www.iis.net/default.aspx?tabid=1)

On This Page

SUMMARY

You can use the new Internet Information Server (IIS) registry value MaxClientRequestBuffer to limit the cumulative bytes size of the request line and header fields sent in a request to IIS.

NOTE: In IIS 4.0, MaxClientRequestBuffer is only recognized when the program runs on Windows NT 4.0 Server Service Pack 5 or later.

MORE INFORMATION

Reason for MaxClientRequestBuffer

The MaxClientRequestBuffer registry value was added to IIS as a security measure, so that the maximum size of the request line and header fields could be set by the IIS administrator in order to reduce the likelihood of an attack caused by requests containing large amounts of data in the request line or headers.

NOTE: The HTTP specifications do not specify the maximum size of the request line or header fields.

For more information about a security problem that may occur when very large URLs that contain escape characters are used, see the security bulletin MS00-023 (http://www.microsoft.com/technet/security/bulletin/ms00-023.mspx (http://www.microsoft.com/technet/security/bulletin/ms00-023.mspx) ).

Default Sizes in IIS 4 and 5

In IIS 4.0, the default maximum size of request line and header fields is 2 megabytes (MB).

In IIS 5.0, this is reduced to 128 kilobytes (KB).
In IIS 5.0 with Windows 2000 Service Pack 4 installed, this is reduced to 16 KB.

Details of the Request Structure

The data limited by MaxClientRequestBuffer (the response line and headers), consists of all data from the first byte of the request through the last byte before the entity body. This includes the method, the URL, any additional path information, the query string, the HTTP version, all the headers, and the characters that delimit all parts of the request. In other words, this includes all data that is not part of the request's entity body.

Use POST Instead of GET to Send Large Amounts of Data in Request

GET requests use the URL portion of the request line to send information to IIS. The POST method, however, sends the information in the request's entity body instead. Therefore, you should consider using the POST method to send a large amount of data in the request.

MaxClientRequestBuffer Limit Is Affected by Buffers

Because IIS reads the blocks of the request data into buffers, the limit set by MaxClientRequestBuffer is not extremely precise. Therefore, after you use MaxClientRequestBuffer, you may have to test to see if the actual limit on the size of the client request and header fields is what you expect.

Side Effect on SF_STATUS_REQ_READ_NEXT

The use of MaxClientRequestBuffer can affect Internet Server Application Programming Interface (ISAPI) filters. If a filter attempts to use the SF_STATUS_REQ_READ_NEXT feature to read in a complete request before it would normally happen, it can encounter this limit, which causes requests to fail.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
255574  (http://support.microsoft.com/kb/255574/EN-US/ ) INFO: IIS Reports an Error with Filters Using the SF_STATUS_REQ_READ_NEXT Return Value.

Add the MaxClientRequestBuffer Registry Value

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

To change the maximum size of a URL request, perform the following to add the MaxClientRequestBuffer registry value:
  1. Run the Registry Editor (Regedt32.exe).
  2. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters
  3. From the Edit menu, select Add Value, and then add the following registry value:
    Value Name: MaxClientRequestBuffer
    Data Type: REG_DWORD
  4. In the DWORD Editor dialog box, under Radix, select Decimal. In the Data text box, type the number of bytes for the maximum URL request size.

    Note You must restart the IIS service for the changes to take effect.
(c) Microsoft Corporation 2000, All Rights Reserved. Contributions by Kevin Zollman, Microsoft Corporation.


APPLIES TO
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Server 4.0
Keywords: 
kbwin2ksp4fix kbinfo KB260694
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support