Client requests time out or error out

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

In IIS 6.0, settings are set to aggressive and secure defaults to minimize attacks due to time-outs and limits that were previously too generous. IIS enforces the following time-outs at the connection level:

  • Limits on Response Buffering: The default value for the AspBufferingLimit Metabase Property is 4 MB. If ASP scripts buffer more than this, they error-out. There was no limit to buffering prior to IIS 6.0.

  • Limits on posts: The AspMaxRequestEntityAllowed Metabase Property enforces a maximum ASP post size of 204,800 bytes, with each individual field limited to 100 KB. There was no limit to posts prior to IIS 6.0.

  • The ServerListenTimeout metabase property is not used used by the WWW service in IIS 6.0, but remains available for the FTP, SMTP, and NNTP services. For the WWW service, ServerListenTimeout has been replaced by the following metabase properties:

    • ConnectionTimeout Metabase Property: This property specifies the amount of time, in seconds, the server waits before disconnecting an inactive connection.

    • MinFileBytesPerSec Metabase Property: When IIS responds to a client request, the MinFileBytesPerSec property determines the length of time the client has to receive the entire response. If the client machine takes too long to receive the entire response, the kernel-mode driver, HTTP.sys, terminates the connection according to the time-out value.

    • HeaderWaitTimeout Metabase Property: When a client connects to the Web server, the client computer is given a time limit to send in all headers for the request (demarked by a final double \r\n). If the complete header set for the request is not received within the time period indicated by HeaderWaitTimeout, HTTP.sys resets the connection. You can configure the value of HeaderWaitTimeout.

  • Header size limitation: By default, HTTP.sys only accepts requests where the request header is less than 16 KB. This means that if HTTP.sys does not receive the terminating <CRLF><CRLF> sequence within 16 KB, HTTP.sys considers the request malicious and terminates the connection. You can change the header size limitation by adjusting the value in the MaxRequestBytes registry key.