Cannot read configuration file because it exceeds the maximum file size (web.config)

I recently came across an interesting case, where the customer was in the process of migrating their content over to a new build of IIS 7.5. All was going well till they hit an issue when migrating their 1MB web.config file, where they received an error "cannot read configuration file because it exceeds the maximum file size". The customer asked why they were receiving the error and why is there a limit imposed? Here is how I responded:

We have found an internal article that mentions that the reason for the 250KB limit is to reduce the chances of an attacker uploading a large web.config file. This is not just for migration of websites but also when deploying such large web.config files into existing website builds.

The upper value of this limit can be changed by modifying the following registry key:

HKLM\SOFTWARE\Microsoft\InetStp\Configuration\MaxWebConfigFileSizeInKB  (REG_DWORD)

Note If you configure IIS 7.0 and IIS 7.5 to run in 32-bit mode on Windows Server 2008 x64 or on Windows Server 2008 R2 x 64, the registry key is instead the following:

HKLM\SOFTWARE\Wow6432Node\Microsoft\InetStp\Configuration\MaxWebConfigFileSizeInKB (REG_DWORD)

 

https://support.microsoft.com/kb/954864

 

The alternative to changing the default value is to split up the web.config files in to separate files. The benefits of this are, reduced chances of denial of service attacks, by specifying authorization rules to determine who can edit it whilst still keeping the default 250KB value. Also it allows better manageability of the files and reduces the impact of human error.

More information on how to do this can be found here:

https://www.iis.net/learn/get-started/planning-your-iis-architecture/getting-started-with-configuration-in-iis-7-and-above

https://netrsc.blogspot.co.uk/2006/05/how-to-split-webconfig-sections-into.html

https://www.davidturvey.com/blog/index.php/2009/10/how-to-split-the-web-config-into-mutliple-files/

 

Note: Make sure you use .config as the extension of your files so they cannot be served to the browser.

https://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.configsource.aspx

 HTH

 

Rezwan Rahman