Details

The switch is intended for use by production IIS servers. This switch is used to help applications run with the best possible performance and least possible security information leakages by disabling the application’s ability to generate trace output on a page, disabling the ability to display detailed error messages to end users, and disabling the debug switch. Often times, switches and options that are developer-focused, such as failed request tracing and debugging, are enabled during active development. It is recommended that the deployment method on any production server be set to retail.

Rationale:

Utilizing the switch specifically intended for production IIS servers will eliminate the risk of vital application and system information leakages that would otherwise occur if tracing or debug were to be left enabled, or customErrors were to be left off.

Solution

1. Open the machine.config file located in: %systemroot%\Microsoft.NET\Framework\\CONFIG
2. Add the line within the section
3. If systems are 64-bit, do the same for the machine.config located in: %systemroot%\Microsoft.NET\Framework\\CONFIG
Default Value:
The tag is not included in the machine.config by default.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2297https://workbench.cisecurity.org/files/2297

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.

References

• 800-53|CM-6b.
• CSCv7|18

Source

• Tenable.com/audits