How to Fix Improper Error Handling in Windows IIS
Improper error handling in IIS can expose sensitive information such as stack traces, internal server
details, or application paths. This can be exploited by attackers. To fix this, follow these steps:
Step 1: Configure Custom Error Pages
By default, IIS may display detailed error messages that reveal internal details. Instead, you should
configure custom error pages.
1. Using IIS Manager (GUI)
1. Open IIS Manager (Win + R, type inetmgr, press Enter).
2. Select the Site
o In the left panel, expand Sites and click on your website.
3. Open "Error Pages"
o Double-click Error Pages in the middle panel.
4. Edit the Default Response Mode
o Click Edit Feature Settings on the right panel.
o Select Custom error pages and ensure it's not set to Detailed errors.
5. Add Custom Error Pages
o Click Add... to create a new error page.
o Enter the Status Code (e.g., 404, 500).
o Choose "Respond with a specific file" and set the path to a custom error page
(e.g., /errors/404.html).
6. Apply and Restart IIS
powershell
CopyEdit
iisreset
Step 2: Disable Detailed Errors in Web.config
If you have a Web.config file in your application's root directory, ensure it does not expose detailed
errors.
� 1. Open Web.config in a text editor.
2. Locate the <system.web> section and update or add the following:
xml
CopyEdit
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="~/errors/general.html">
<error statusCode="404" redirect="~/errors/404.html" />
<error statusCode="500" redirect="~/errors/500.html" />
</customErrors>
</system.web>
o RemoteOnly: Shows detailed errors locally, but not to external users.
o On: Forces all users to see custom error pages.
3. Save the file and restart IIS.
Step 3: Disable Verbose ASP.NET Error Messages
If your site uses ASP.NET, disable detailed error messages.
1. Open IIS Manager.
2. Click on the Application Pool for your site.
3. Click Advanced Settings on the right.
4. Find Enable 32-bit Applications and set it to False (if applicable).
5. Find Failure Actions and ensure it does not expose logs.
Step 4: Secure IIS Logs and Event Viewer
Even if custom errors are set, logs should not expose sensitive details.
Disable ASP.NET Event Validation Details
1. Open Web.config and add this in <system.web>:
xml
�CopyEdit
<system.web>
<compilation debug="false" />
<httpRuntime enableVersionHeader="false" />
</system.web>
2. Save and restart IIS.
Secure IIS Logs
1. Open Event Viewer (eventvwr in Run).
2. Go to Windows Logs → Application.
3. Find events related to IIS (Source: IIS-W3SVC-WP).
4. Ensure they do not expose sensitive stack traces.
Step 5: Test Your Configuration
After applying the fixes, test using:
sh
CopyEdit
curl -I http://yourwebsite.com/invalid-page
Expected Result: A generic error page (not an IIS or ASP.NET error page).
Unexpected Result (Fix Again if Found): Messages showing stack traces or IIS version.
Final Checklist
✔ Enable custom error pages
✔ Set Web.config to hide detailed errors
✔ Disable ASP.NET debugging (debug="false")
✔ Secure IIS logs
