1. Home
  2. Security Hardening
  3. CIS IIS 8.0 V1.5.0 L2
  4. Ensure Custom Error Messages are not Off – Applications
Searching...

Ensure Custom Error Messages are not Off – Applications

Details

When an ASP.NET application fails and causes an HTTP/1.x 500 Internal Server Error, or a feature configuration (such as Request Filtering) prevents a page from being displayed, an error message will be generated. Administrators can choose whether or not the application should display a friendly message to the client, detailed error message to the

client, or detailed error message to localhost only. The tag in the web.config has three modes:

. On: Specifies that custom errors are enabled. If no defaultRedirect attribute is specified, users see a generic error. The custom errors are shown to the remote clients and to the local host

. Off: Specifies that custom errors are disabled. The detailed ASP.NET errors are shown to the remote clients and to the local host

. RemoteOnly: Specifies that custom errors are shown only to the remote clients, and that ASP.NET errors are shown to the local host. This is the default value

This is a defense in depth recommendation due to the in the machine.config file overriding any settings for customErrors to be turned Off. It is recommended that customErrors still be turned to On or RemoteOnly.

customErrors can be set to On or RemoteOnly without leaking detailed application information to the client. Ensuring that customErrors is not set to Off will help mitigate the risk of malicious persons learning detailed application error and server configuration information.

Solution

customErrors may be set for a server, site, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the customErrors mode to RemoteOnly or On for a Web Site in the IIS Manager GUI:
1. Open the IIS Manager GUI and navigate to the site to be configured
2. In Features View, find and double-click .NET Error Pages icon
3. In the Actions Pane, click Edit Feature Settings
4. In modal dialog, choose On or Remote Only for Mode settings
5. Click OK

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.

References

Source

Updated on July 16, 2022
Was this article helpful?
Yes No

Related Articles