Tracing should not be enabled on production servers because system-level trace information can greatly help an attacker profile an application and probe for weak spots.
Tracing is configured using the <trace> element. Set enabled="false" on production servers as follows :
<trace enabled="false" localOnly="true" pageOutput="false" requestLimit="10" traceMode="SortByTime"/>
If you do need to trace problems with live applications, it is preferable that you simulate the problem in a test environment, or if necessary, enable tracing and set localOnly="true" to prevent trace details from being returned to remote clients .