Disable Tracing and Debugging Before Deploying ASP.NET Applications
Disabling tracing and debugging before deploying ASP.NET applications sounds obvious, but you d be surprised how many people don t do this. It s bad for two reasons: you can potentially give an attacker too much information, and a negative performance impact results from enabling these options.
You can achieve this disabling in three ways. The first involves removing the DEBUG verb from Internet Information Services (IIS). Figure 13-3 shows where to find this option in the IIS administration tool.
Figure 13-3
You can remove the DEBUG verb from each extension you don t want to debug in this case, SOAP files.
You can also disable debugging and tracing within the ASP.NET application itself by adding a Page directive similar to the following one to the appropriate pages:
<%@ Page Language="VB Trace="False Debug="False %>
Finally, you can override debugging and tracing in the application configuration file:
<trace enabled = false /> <compilation debug = false />