Microsoft "fixed" the HTTP/2 vulnerabilities recently discovered. The updates add the ability to create the registry keys to stop the vulnerabilities, they don't actually fix the vulnerabilities after updating. (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9511)
They give zero guidance on what any of the values should be or even what a good starting point would be to set the values. Does anyone have any baseline recommendations to set these values? They range from 0 to 0xFF or 0xFFF, which makes it even more interesting. Setting them all to the min or max to start sounds like a bad idea.
These are the registry keys and possible values:
Http2MaxPingsPerMinute - Range 0 to 0xFF - If you don't allow anyone to ping you does it matter?
Http2MaxServerResetsPerMinute - Range 0 to 0xFFF
Http2MaxPrioritiesPerStream - Range 0 to 0xFF
Http2MaxResetsPerStream - Range 0 to 0xFF
Http2MaxUnknownsPerStream - Range 0 to 0xFF
Http2MaxWindowUpdatesPerSend - Range 0 to 0xFF
Http2MinimumSendWindowSize - Range 0 to 0xFFF
BONUS!
They did the same thing in February. (https://support.microsoft.com/en-us/help/4491420/define-thresholds-on-the-number-of-http-2-settings-parameters-exchange)
I have seen one article online, that I cannot find again, that suggested setting these values to 256 to start, but I haven't seen any other suggestions anywhere else.
Http2MaxSettingsPerFrame - Range 7 to 2796202
Http2MaxSettingsPerMinute - Minimum Value 7
Thanks ahead to anyone that can help!
0 Answers