STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 23 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft IIS 10.0 Site Security Technical Implementation Guide

V-218756

CAT II (Medium)

Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.

Rule ID

SV-218756r1210388_rule

STIG

Microsoft IIS 10.0 Site Security Technical Implementation Guide

Version

V2R16

CCIs

CCI-001094

Discussion

Setting limits on web requests ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.

Check Content

Note: If either of the following is true, this requirement is Not Applicable:
- The server being reviewed is hosting SharePoint.
- This IIS 10.0 installation is supporting Microsoft Exchange and not otherwise hosting any content.

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name.

Double-click the "Request Filtering" icon.

Click "Edit Feature Settings" in the "Actions" pane.

If the "Allow high-bit characters" check box is checked, this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name under review.

Double-click the "Request Filtering" icon.

Click "Edit Feature Settings" in the "Actions" pane.

Uncheck the "Allow high-bit characters" check box.