IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs. For information
about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
IN THIS TASK
SUMMARY
This article describes how to limit the header size of the
HTTP transmission that Microsoft Internet Information Services (IIS) will
accept from a client. Recent exploits perpetrated against Microsoft Internet
Information Server 4.0 and IIS 5.0 depend on the ability to send large amounts
of data in the HTTP application-layer header. Examples of such exploits include
the Code Red versions I and II worms. The abnormally large amount of
information that is contained in the application-layer header may cause a
buffer overflow and could potentially compromise the server.
Internet
Information Server 4.0 and IIS 5.0 support a method to control the maximum size
of the request line and header fields that are accepted by the Internet
Information Server and IIS World Wide Web service.
The
MaxClientRequestBuffer registry entry is used to limit the amount of data that
is accepted in the Internet Information Server and IIS request buffer. This
data includes all the information from the first byte of the request through
the last byte before the body of the request. This includes the method, the
URL, additional path information, the query string, the HTTP version, and all
headers and characters that delimit all portions of the request.
The
default client request buffer size for Internet Information Server 4.0 is 2
megabytes (MB). The default client request buffer for IIS 5.0 is 128 kilobytes
(KB). The default client request buffer for IIS 5.0 Service Pack 4 (SP4) is 16
KB. IIS request buffer size may become the limiting factor for Kerberos
authentication with large tokens if users are members of many groups. If
a user does have a token that is too large for the IIS server, the client will receive the following in the client's Web browser:
HTTP 400 Bad Request (The data
is invalid)
For additional information, click the following article
numbers to view the articles in the Microsoft Knowledge Base:
277741
Internet Explorer Logon Fails Due to an Insufficient Buffer for Kerberos
280830 Kerberos Authentication May Not Work If User Is a Member of Many Groups
Adding the MaxClientRequestBuffer Value to the Registry
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own
risk.
NOTE: See the "Troubleshooting" section of this article before you
follow these steps.
- Click Start, click Run, type regedt32, and then press
ENTER.
- In Registry Editor, locate and click the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters
- On the Edit menu, point to New, and then click DWORD Value.
- Type MaxClientRequestBuffer over the
New Value #1 entry.
- Double-click the MaxClientRequestBuffer value.
- In the Edit DWORD Value dialog box, click Decimal in the Base area. In the Value data box, type the byte value
that you want to allow to be buffered. Click OK.
- Quit Registry Editor.
- Restart the Web Publishing service for the changes to take
effect.
back to the top
Troubleshooting
The limit that is set by the MaxClientRequestBuffer registry
value is not extremely precise. You may need to experiment with different
values to get the results you require. This is especially important because
this setting can effect ISAPI filters.
back to the top