Details

The trace element configures the ASP.NET code tracing service that controls how trace results are gathered, stored, and displayed. When tracing is enabled, each page request generates trace messages that can be appended to the page output or stored in an application trace log.

This is a defense in depth recommendation due to the in the machine.config file overriding any settings for ASP.NET stack tracing that are left on. It is recommended that ASP.NET stack tracing still be turned off.

In an active Web Site, tracing should not be enabled because it can display sensitive configuration and detailed stack trace information to anyone who views the pages in the site. If necessary, the localOnly attribute can be set to true to have trace information displayed only for localhost requests. Ensuring that ASP.NET stack tracing is not on will help mitigate the risk of malicious persons learning detailed stack trace information.

Solution

1) ensure is enabled in the machine.config.
2) Remove all attribute references to ASP.NET tracing by deleting the trace and trace enable attributes.
Per Page:
Remove any references to
Trace=’true’
Per Application:

… …
Default Value:
The default value for ASP.NET tracing is off.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/166

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.

References

• 800-53|SI-11a.

Source

• Tenable.com/audits