CYA: Securing IIS 6.0: Cover Your A** By Getting It Right the First Time

Configuring Custom Error Messages

IIS provides you with the ability to return a customized URL to users when a HTTP error is generated. These are commonly used to produce a nicer user experience, especially in the case of 404 File Not Found situations. However, using custom error messages can also provide a security benefit. In the event of an application error, a custom error message can prevent information disclosure (by preventing the user from seeing the error s source and stack trace), and by allowing the server to log the error or alert the administrator.

By the Book

IIS 6.0 provides two methods for configuring custom error messages for ASP based applications. Either of these methods can be used when an unhandled exception is raised. An unhandled exception is an error that is not taken care of (handled) within the code itself. A simple generic error page can be sent back for any unhandled ASP error, or a custom page can be sent back. IIS does not handle ASP.NET errors natively in IIS 6.0. Instead, to configure a custom page for unhandled ASP.NET exceptions you must edit the ASP.NET web.config file.

By using custom error pages for unhandled application errors, you can reduce the risk of disclosing sensitive information about the structure of the application that can aid an attacker. Some examples of information disclosure are provided later in this section.

Additionally, you can provide a better monitoring environment for administrators by having a page generate an alert (for example,...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Bug Tracking Software
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.