3.5 Ensure ASP.NET stack tracing is not enabled - Default

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The trace element configures the ASP.NET code tracing service that controls how trace results are gathered, stored, and displayed. When tracing is enabled, each page request generates trace messages that can be appended to the page output or stored in an application trace log.
This is a defense in depth recommendation due to the <deployment retail='true' /> in the machine.config file overriding any settings for ASP.NET stack tracing that are left on. It is recommended that ASP.NET stack tracing still be turned off.

In an active Web Site, tracing should not be enabled because it can display sensitive configuration and detailed stack trace information to anyone who views the pages in the site. If necessary, the localOnly attribute can be set to true to have trace information displayed only for localhost requests. Ensuring that ASP.NET stack tracing is not on will help mitigate the risk of malicious persons learning detailed stack trace information.

Solution

1) ensure <deployment retail='true' /> is enabled in the machine.config.
2) Remove all attribute references to ASP.NET tracing by deleting the trace and trace enable attributes.
Per Page:
Remove any references to
Trace='true'
Per Application:
<configuration> <system.web>
... <trace enabled='true'>
... </system.web> </configuration>
Default Value:
The default value for ASP.NET tracing is off.

See Also

https://workbench.cisecurity.org/files/166