Debugging and trace information used to diagnose the IIS 8.5 website must be disabled.

From IIS 8.5 Site Security Technical Implementation Guide

Part of SRG-APP-000266-WSR-000160

Associated with: CCI-001312

SV-91533r1_rule Debugging and trace information used to diagnose the IIS 8.5 website must be disabled.

Vulnerability discussion

Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being displayed to users.

Check content

Note: If the ".NET feature" is not installed, this check is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click ".NET Compilation". Scroll down to the "Behavior" section and verify the value for "Debug" is set to "False". If the "Debug" value is not set to "False", this is a finding.

Fix text

Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click ".NET Compilation". Scroll down to the "Behavior" section and set the value for "Debug" to "False".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer