Using Substatus and Win32 Errors in W3C Extended Logging

Applies To: Windows Server 2003, Windows Server 2003 with SP1

To reduce the attack surface of IIS 6.0, custom error messages do not return specific error message information, including the substatus code, to remote client computers. If a custom error message contains too much information about the core Web server and an explanation of why a particular request failed to execute, malicious users can use the information to attack the Web server. As an example, an error code such as 404.2-Web Service Extension Lockdown Policy Prevents This Request is returned to a Web client as 404-File or Directory Not Found, and, thereby, gives the Web client no indication of why the request failed.

Although this change to error message reporting reduces the possibility of an attack by a malicious user, it makes it difficult to debug a failed request. For this reason, you can enable substatus error codes logging to IIS log files when appropriate. Note that on clean installs, substatus code logging for W3C Extended format files is enabled by default. Doing so is particularly useful when the logging of Win32 error codes is enabled. Then, to obtain the information that you need, you simply locate the specific request in the log file and check the Win32 error code and substatus code. This feature is called W3C extended logging. Figure 11.2   Extended Logging Properties Sheet shows substatus codes as they appear on the extended logging properties sheet.

For more information about logging substatus error codes, see Substatus Error Codes in Log Files.