Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-218756 | IIST-SI-000228 | SV-218756r961152_rule | CCI-001094 | medium |
| Description | ||||
| Setting limits on web requests ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters. | ||||
| STIG | Date | |||
| Microsoft IIS 10.0 Site Security Technical Implementation Guide | 2025-06-09 | |||
Details
Check Text (C-218756r961152_chk)
Follow the procedures below for each site hosted on the IIS 10.0 web server:
Open the IIS 10.0 Manager.
Click the site name.
Double-click the "Request Filtering" icon.
Click "Edit Feature Settings" in the "Actions" pane.
If the "Allow high-bit characters" check box is checked, this is a finding.
Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.
Fix Text (F-20227r311167_fix)
Follow the procedures below for each site hosted on the IIS 10.0 web server:
Open the IIS 10.0 Manager.
Click the site name under review.
Double-click the "Request Filtering" icon.
Click "Edit Feature Settings" in the "Actions" pane.
Uncheck the "Allow high-bit characters" check box.