I assume your instance mode is Per Session. You can set this value to Int32.Max if required. How ever, it is good to understand the WCF Throttling concepts in detail..
The value is very low to prevent DOS attacks, as WCF team wants the services to be "secure by default".
Here is a good read, have a look at this blog post here
Note that these values are extremely
low... much lower than many people
would like them to be. The thinking of
the WCF team here was that they wanted
WCF to be "secure by default" and
reduce the change of DOS attacks being
launched from against your service.
That idea might sound great, but in
practice it causes major issues.
In
fact, you have almost certainly ran
into these issues if you are using a
binding like WsHttpBinding that
supports sessions. Why is that? The
default number of sessions at 10, this
appears at first to mean that 10 users
can access your service at the same
time. However, WCF sessions are not
web sessions. Unlike web sessions,
which are managed by the server and
generally tracked using http cookies,
WCF sessions are initiated by the
client proxy and don't end until they
time out or the client sends an
explicit request to abandon the
session. Here's the thing, since each
proxy instance initiates it's own
session, a user that makes a few
requests at once could potentially be
using multiple sessions at once. Now
you might be thinking you are safe if
you don't have multi-threaded code
that does this kind of thing... but
that's not exactly true. Because the
user must make an explicit request to
the server to cancel his session, it's
possible that you will leave sessions
open accidently. People who have been
working with ASMX services, often
don't realize that they need to close
their proxy objects, and the few that
do realize that the objects need to be
closed often make the mistake of
treating them like disposable objects,
which results in sessions being left
open. Keeping in mind that the default
session limit is 10, this means that
if you make ten calls to a service
using WsHttpBinding in a relatively
short amount of time, you can end up
locking up your service until the
sessions expire.
The decision that the
WCF team made here can be perplexing.
In an attempt to limit the ability of
attackers to launch DOS attacks
against your services, they made it
much easier to perform a DOS attack
against your service. No longer do you
need the resources to flood a server
with requests so that it can no longer
respond, you simply have to make a
handful of calls without explicitly
requesting the connection to close and
max out the session count. Unless set
this value extremely high, you run the
risk of having a server refusing to
accept any incoming connections,
despite the fact that it is chilling
out with zero CPU usage.