Avatar of AIC-Admin
AIC-AdminFlag for United States of America asked on

ASP.Net Debug vulnerability preventing PCI Compliance HELP!

Our PCI Compliance vendor is failing our scans saying that we have ASP.Net Debugging enabled and that scanning results in an "HTTP Status Code 200 OK" rather than the expected 400 Bad Request, 405 Method Not Allowed, or 501 Not Implemented message.

I have gone through and modified the Machine.Config files to add the <deployment retail="true"/> line as specified in http://msdn.microsoft.com/en-us/library/system.web.configuration.deploymentsection.retail(v=vs.110).aspx but they are still saying that a Status 200 OK is being returned.

The PCI vendor reference me to http://support.microsoft.com/default.aspx?scid=kb;en-us;815157 but it clearly says that disabling debugging using the machine.config file overrides debugging enabled in individual web.config files.

We are trying to avoid having to set this configuration in our 200 or so web.config files of which many are different. Has anyone dealt with this or have any insight to he me with this? Is this a known issue with disabling debugging using the retail mode method in the machine.config file?
SecurityMicrosoft IIS Web ServerNetwork Security

Avatar of undefined
Last Comment
AIC-Admin

8/22/2022 - Mon
kaufmed

We are trying to avoid having to set this configuration in our 200 or so web.config files
Well why are you deploying production code with the debug flag enabled? It's called "debug" for a reason.

The web.config files are just XML files. It really wouldn't be that hard to script or write a quick app to traverse all of your directories and remove debugging from each file.
ASKER
AIC-Admin

I do not develop the websites (I'm just the network admin) but I was told by our lead developer that when they deploy code from development to production that they frequently deploy new web.config files. We run ASP.Net version 2 in 32-bit and 64-bit and ASP.Net version 4 in 32-bit and 64-bit. We have numerous web applications as well so we could end up with hundreds of web.config files across our 14 or so app servers.

I will see if our developers can or know how to do what you recommended... write a script or quick app to traverse all of our directories and remove debugging from each file. I assume that would consist of searching for all files named "web.config" then searching the contents of those files for <compilation debug="true"/> and if found changing it to "<compilation debug="false"/>.
kaufmed

Correct.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
kaufmed

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
AIC-Admin

Thank you for providing this code! I will keep this for future use.

We ended up writing an "iRule" on our F5 Load Balancer to identify inbound DEBUG requests and automatically reply with a "http 403 forbidden" response which has resolved the issue.