A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. This setting can be modified in the errorMode attribute setting for a Web site's error pages. By default, the errorMode attribute is set in the Web.config file for the Web site or application and is located in the <httpErrors> element of the <system.webServer> section. It is recommended that custom errors be prevented from displaying remotely. Rationale: The information contained in custom error messages can provide clues as to how applications function, opening up unnecessary attack vectors. Ensuring custom errors are never displayed remotely can help mitigate the risk of malicious persons obtaining information as to how the application works. Impact: Custom errors will not be viewable remotely.
Solution
The following describes how to change the errorMode attribute to DetailedLocalOnly or Custom for a Web site by using IIS Manager: Open IIS Manager with Administrative privileges In the Connections pane on the left, expand the server, then expand the Sites folder Select the Web site or application to be configured In Features View, select Error Pages, in the Actions pane, select Open Feature In the Actions pane, select Edit Feature Settings In the Edit Error Pages Settings dialog, under Error Responses, select either Custom error pages or Detailed errors for local requests and custom error pages for remote requests Click OK and exit the Edit Error Pages Settings dialog OR Enter the following command in PowerShell to configure: Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.webServer/httpErrors' -name 'errorMode' -value 'DetailedLocalOnly' Default Value: The default errorMode is DetailedLocalOnly.