Details

Developers often enable the debug mode during active ASP.NET development so that they do not have to continually clear their browsers cache every time they make a change to a resource handler. The problem would arise from this being left ‘on’ or set to ‘true’. Compilation debug output is displayed to the end user, allowing malicious persons to obtain detailed information about applications.

This is a defense in depth recommendation due to the in the machine.config configuration file overriding any debug settings. It is recommended that debugging still be turned off.

Setting to false ensures that detailed error information does not inadvertently display during live application usage, mitigating the risk of application information leakage falling into unscrupulous hands.

Solution

To use the UI to make this change:
1. Open IIS Manager and navigate desired server, site, or application
2. In Features View, double-click .NET Compilation
3. On the .NET Compilation page, in the Behavior section, ensure the Debug field is set to False
4. When finished, click Apply in the Actions pane
Note: The switch will not be present in the web.config file unless it has been added manually, or has previously been configured using the IIS Manager GUI.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/166

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.

References

• 800-53|SI-11a.

Source

• Tenable.com/audits