3.5 Ensure ASP.NET stack tracing is not enabled

Information

The trace element configures the ASP.NET code tracing service that controls how trace results are gathered, stored, and displayed. When tracing is enabled, each page request generates trace messages that can be appended to the page output or stored in an application trace log.
This is a defense in depth recommendation due to the <deployment retail='true' /> in the machine.config file overriding any settings for ASP.NET stack tracing that are left on. It is recommended that ASP.NET stack tracing still be turned off.

In an active Web Site, tracing should not be enabled because it can display sensitive configuration and detailed stack trace information to anyone who views the pages in the site. If necessary, the localOnly attribute can be set to true to have trace information displayed only for localhost requests. Ensuring that ASP.NET stack tracing is not on will help mitigate the risk of malicious persons learning detailed stack trace information.

NOTE: This section requires ASP.NET, but ASPNET and .Net Extensibility have not been found.

See Also

https://workbench.cisecurity.org/files/165

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: 70eceb28ded36d2bea0293aea24d9662a4f171d5f262b22f6e150fc1a326922a