3.3 Ensure custom error messages are not off

Information

When an ASP.NET application fails and causes an HTTP/1.x 500 Internal Server Error, or a feature configuration (such as Request Filtering) prevents a page from being displayed, an error message will be generated. Administrators can choose whether or not the application should display a friendly message to the client, detailed error message to the client, or detailed error message to localhost only. The <customErrors> tag in the web.config has three modes:

On: Specifies that custom errors are enabled. If no defaultRedirect attribute is specified, users see a generic error. The custom errors are shown to the remote clients and to the local host

Off: Specifies that custom errors are disabled. The detailed ASP.NET errors are shown to the remote clients and to the local host

RemoteOnly: Specifies that custom errors are shown only to the remote clients, and that ASP.NET errors are shown to the local host. This is the default value

This is a defense in depth recommendation due to the <deployment retail='true' /> in the machine.config file overriding any settings for customErrors to be turned Off. It is recommended that customErrors still be turned to On or RemoteOnly.

Rationale:

customErrors can be set to On or RemoteOnly without leaking detailed application information to the client. Ensuring that customErrors is not set to Off will help mitigate the risk of malicious persons learning detailed application error and server configuration information.

Solution

customErrors may be set for a server, site, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the customErrors mode to RemoteOnly or On for a Web Site in the IIS Manager GUI:

Open the IIS Manager GUI and navigate to the site to be configured

In Features View, find and double-click .NET Error Pages icon

In the Actions Pane, click Edit Feature Settings

In modal dialog, choose On or Remote Only for Mode settings

Click OK

See Also

https://workbench.cisecurity.org/benchmarks/14293

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-11a.

Plugin: Windows

Control ID: 75608d6e5799ec614a96bb5bb74183ca78fc74ac26818ed84d3d27d3b635558f