IIS: Hide Custom Errors from displaying remotely

  • Article

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Internet Information Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Product/Feature

Internet Information Services

Severity

Error

Category

Security

Issue

The errorMode attribute of section '<SectionName>' [path:<Path>] is set to Detailed.

Impact

Users browsing to your site or application could see some privileged information that is contained in the detailed error pages being sent remotely.

Resolution

Set the Custom Errors errorMode to DetailedLocalOnly or Custom.

A Web site's error pages are often set to show detailed error information for troubleshooting purposes. However, to prevent unauthorized users from viewing privileged information, you should make sure that detailed error pages will not be seen by remote users. You can do this by using IIS Manager to change the errorMode attribute setting for a Web site's error pages. By default, the errorMode attribute is set in the Web.config file for the Web site or application and is located in the <httpErrors> element of the <system.webServer> section. The following procedure describes how to change the errorMode attribute for a Web site by using IIS Manager.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To set the custom errors error mode to DetailedLocalOnly or Custom

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.

  3. In the Connections pane on the left, expand the computer, then expand the Sites folder.

  4. Select the Web site or application that you want to configure.

  5. In Features View, select Error Pages. In the Actions pane, select Open Feature.

  6. In the Actions pane, select Edit Feature Settings.

  7. In the Edit Error Pages Settings dialog, under Error Responses, select either Custom error pages or Detailed errors for local requests and custom error pages for remote requests.

  8. Click OK to exit the Edit Error Pages Settings dialog.