3.1 Ensure 'deployment method retail' is set


The <deployment retail> switch is intended for use by production IIS servers. This switch is used to help applications run with the best possible performance and least possible security information leakages by disabling the application's ability to generate trace output on a page, disabling the ability to display detailed error messages to end users, and disabling the debug switch. Often times, switches and options that are developer-focused, such as failed request tracing and debugging, are enabled during active development. It is recommended that the deployment method on any production server be set to retail.

Utilizing the switch specifically intended for production IIS servers will eliminate the risk of vital application and system information leakages that would otherwise occur if tracing or debug were to be left enabled, or customErrors were to be left off.

NOTE: This section requires ASP.NET, but ASPNET and .Net Extensibility have not been found.


1. Open the machine.config file located in: %systemroot%\Microsoft.NET\Framework\<framework_version>\CONFIG
2. Add the line <deployment retail='true' /> within the <system.web> section
3. If systems are 64-bit, do the same for the machine.config located in:

See Also


Item Details


References: 800-53|CM-6b., CSCv6|3.1

Plugin: Windows

Control ID: 275ffe716f69898111cbeab17f4385beea8767b7f3a50a12bf16a652b707010f