Information
The trace element configures the ASP.NET code tracing service that controls how trace results are gathered, stored, and displayed. When tracing is enabled, each page request generates trace messages that can be appended to the page output or stored in an application trace log.
This is a defense in depth recommendation due to the <deployment retail='true' /> in the machine.config file overriding any settings for ASP.NET stack tracing that are left on.
It is recommended that ASP.NET stack tracing still be turned off.
Rationale:
In an active Web Site, tracing should not be enabled because it can display sensitive configuration and detailed stack trace information to anyone who views the pages in the site.
If necessary, the localOnly attribute can be set to true to have trace information displayed only for localhost requests. Ensuring that ASP.NET stack tracing is not on will help mitigate the risk of malicious persons learning detailed stack trace information.
Impact:
ASP.NET stack tracing still be turned off and sensitive configuration and detailed stack trace information will not be viewable to anyone who views the pages in the site.
Solution
Ensure <deployment retail='true' /> is enabled in the machine.config.
Remove all attribute references to ASP.NET tracing by deleting the trace and trace enable attributes.
Per Page:
Remove any references to:
Trace='true'
Per Application:
<configuration>
<system.web>
<trace enabled='true'>
</system.web>
</configuration>
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.web/trace' -name 'enabled' -value 'False'
Default Value:
The default value for ASP.NET tracing is off.