3.3 Ensure Custom Error Messages are not Off

Information

When an ASP.NET application fails and causes an HTTP/1.x 500 Internal Server Error, or a feature configuration (such as Request Filtering) prevents a page from being displayed, an error message will be generated. Administrators can choose whether or not the application should display a friendly message to the client, detailed error message to the client, or detailed error message to localhost only. The <customErrors> tag in the web.config has three modes:
. On: Specifies that custom errors are enabled. If no defaultRedirect attribute is specified, users see a generic error. The custom errors are shown to the remote clients and to the local host
. Off: Specifies that custom errors are disabled. The detailed ASP.NET errors are shown to the remote clients and to the local host
. RemoteOnly: Specifies that custom errors are shown only to the remote clients, and that ASP.NET errors are shown to the local host. This is the default value
This is a defense in depth recommendation due to the <deployment retail='true' /> in the machine.config file overriding any settings for customErrors to be turned Off. It is recommended that customErrors still be turned to On or RemoteOnly.

customErrors can be set to On or RemoteOnly without leaking detailed application information to the client. Ensuring that customErrors is not set to Off will help mitigate the risk of malicious persons learning detailed application error and server configuration information.

NOTE: This section requires ASP.NET, but ASPNET and .Net Extensibility have not been found.

See Also

https://workbench.cisecurity.org/files/165