3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely

Information

A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. This setting can be modified in the errorMode attribute setting for a Web site's error pages. By default, the errorMode attribute is set in the Web.config file for the Web site or application and is located in the <httpErrors> element of the <system.webServer> section. It is recommended that custom errors be prevented from displaying remotely.

Rationale:

The information contained in custom error messages can provide clues as to how applications function, opening up unnecessary attack vectors. Ensuring custom errors are never displayed remotely can help mitigate the risk of malicious persons obtaining information as to how the application works.

Solution

The following describes how to change the errorMode attribute to DetailedLocalOnly or Custom for a Web site by using IIS Manager:

Open IIS Manager with Administrative privileges

In the Connections pane on the left, expand the server, then expand the Sites folder

Select the Web site or application to be configured

In Features View, select Error Pages, in the Actions pane, select Open Feature

In the Actions pane, select Edit Feature Settings

In the Edit Error Pages Settings dialog, under Error Responses, select either Custom error pages or Detailed errors for local requests and custom error pages for remote requests

Click OK and exit the Edit Error Pages Settings dialog

See Also

https://workbench.cisecurity.org/benchmarks/14293

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-11a.

Plugin: Windows

Control ID: a431e3b48e7748536f9640d3778715e57bcb37fa4f89926bea0cf964813f80a0