For security purposes a user may need to enable or disable .NET verbose error messages for remote users within Strategy Web and Web Services.
.NET verbose messages are configured at the application level within the web.config file and henceforth can be turned on or off in two places within Strategy:
In both of the above instances (web.config files) the user needs to find the following entry highlighted in bold and change it to the required value:
<!-- CUSTOM ERROR MESSAGES
Set customErrors mode='On' or 'RemoteOnly' to enable custom error messages, 'Off' to disable.
Add <error> tags for each of the errors you want to handle.
-->
<customErrors mode='Off' />
From here, the user can choose to either set the 'customErrors' mode to:
Also if required, the user may set or establish a custom HTML error page at the root level of the Strategy application to redirect the .NET verbose error messages to that page. This action will not conflict or interfere with the proper function of Strategy Web or Web Services application.
Note: Third party Web vulnerability scanning software such as HP WebInspect may detect that Strategy Web or Web Services has .NET verbose errors enabled and categorize this as a "Medium" threat. However, per the Strategy architecture and structure, the use of .NET verbose errors does not pose a security vulnerability to the application. Nevertheless, if the user is required by corporate IT policies to address the .NET verbose errors in a different fashion, the user can disable or enable .NET verbose errors for remote users only, as indicated above.
