Client Requests Error Out or Time Out

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

In IIS 6.0, settings are set to aggressive and secure defaults to minimize attacks due to timeouts and limits that were previously too generous. IIS enforces the following timeouts at the connection level:

  • Limits on response buffering. The metabase property ASPBufferingLimit is 4 MB, by default. If ASP scripts buffer more than this, they generate an error. Prior to IIS 6.0, there was no limit to buffering.

  • Limits on posts. The metabase property AspMaxRequestEntityAllowed enforces a maximum ASP POST size of 204800 bytes, with each individual field limited to 100 KB. Prior to IIS 6.0, there was no limit to posts.

  • The ServerListenTimeoutproperty is no longer available**.** The metabase property ServerListenTimeout has been replaced by the following metabase properties:

    • ConnectionTimeout. This property specifies the amount of time, in seconds, that the server waits before disconnecting an inactive connection.

    • MinFileBytesPerSec. When IIS responds to a client request, the MinFileBytesPerSec property determines the length of time that the client has to receive the entire response. If the client computer takes too long to receive the entire response, the kernel-mode driver, HTTP.sys, terminates the connection according to the timeout value.

    • HeaderWaitTimeout. When a client connects to the Web server, the client computer is given a time limit to send in all headers for the request (demarked by a final double \r\n). If the complete header set for the request is not received within the time period indicated by HeaderWaitTimeout, HTTP.sys resets the connection. You can configure the value of HeaderWaitTimeout.

  • Header size limitation. By default, HTTP.sys accepts only requests where the size of the request header is less than 16 KB. This means that if HTTP.sys does not receive the terminating carriage return/line feed (CRLF) pair sequence within 16 KB, HTTP.sys considers the request malicious and terminates the connection. You can change the header size limitation by adjusting the value of the registry entry MaxRequestBytes. Note that this entry does not exist in the registry by default. To add it to the registry, use the registry editor, Regedit.exe.