Information
Developers often enable the debug mode during active ASP.NET development so that they do not have to continually clear their browsers cache every time they make a change to a resource handler. The problem would arise from this being left 'on' or set to 'true'. Compilation debug output is displayed to the end user, allowing malicious persons to obtain detailed information about applications.
This is a defense in depth recommendation due to the <deployment retail='true' /> in the machine.config configuration file overriding any debug settings. It is recommended that debugging still be turned off.
Setting <compilation debug> to false ensures that detailed error information does not inadvertently display during live application usage, mitigating the risk of application information leakage falling into unscrupulous hands.
Solution
To use the UI to make this change:
1. Open IIS Manager and navigate desired server, site, or application
2. In Features View, double-click .NET Compilation
3. On the .NET Compilation page, in the Behavior section, ensure the Debug field is set to False
4. When finished, click Apply in the Actions pane
Note: The <compilation debug> switch will not be present in the web.config file unless it has been added manually, or has previously been configured using the IIS Manager GUI.