|
Home > Archive > IIS Server Security > July 2006 > Supressing Public ASP Error Codes
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Supressing Public ASP Error Codes
|
|
|
| I am the server Admin for a webmaster who designed a site in Straight ASP
using SQL Server 2000 SP4. I am not a literate ASP programmer and the
webmaster is not very experienced in this area either.
So, I am soliciting some assistance with how to having non-informative ASP
error messages appearing to the public?
For example we recently encountered a permissions issues that generated the
following error message that was displayed at the bottom of the website web
page. Although this issue is resolved we want to prevent this kind of
descriptive error code from being public.
For example:
Active Server Pages error 'ASP 0113'
Script timed out
/lectures.asp
All I have been able to find so far is the custom error pages in IIS. There
are a bunch of htm pages with various messages but none of them have any
error like the one above. The messages I am referring to are added to the
website page, they are not a separate error page as the ones in IIS appear to
be. This leads me to believe that I am not looking in the correct place.
I would greatly appreciate anyone pointing me in the right direction.
Thanks - Jody
| |
|
| P.S. This site is hosted on a dedicated Windows 2003 Server running IIS 6.0.
"Jody" wrote:
> I am the server Admin for a webmaster who designed a site in Straight ASP
> using SQL Server 2000 SP4. I am not a literate ASP programmer and the
> webmaster is not very experienced in this area either.
>
> So, I am soliciting some assistance with how to having non-informative ASP
> error messages appearing to the public?
>
> For example we recently encountered a permissions issues that generated the
> following error message that was displayed at the bottom of the website web
> page. Although this issue is resolved we want to prevent this kind of
> descriptive error code from being public.
> For example:
>
> Active Server Pages error 'ASP 0113'
> Script timed out
> /lectures.asp
>
> All I have been able to find so far is the custom error pages in IIS. There
> are a bunch of htm pages with various messages but none of them have any
> error like the one above. The messages I am referring to are added to the
> website page, they are not a separate error page as the ones in IIS appear to
> be. This leads me to believe that I am not looking in the correct place.
>
> I would greatly appreciate anyone pointing me in the right direction.
>
> Thanks - Jody
| |
| Ken Schaefer 2006-07-13, 1:23 am |
| Create your own custom 500-100.asp error page.
Customise your website in IIS, so that the 500-100 error page points to your
page, and not the default one supplied with IIS.
Then your message will be displayed. Additionally, if you make the custom
page an ASP page itself, you can use the ASPError object to get details
about the error and have them emailed to you (or logged to a database, event
log etc).
Take a look in c:\windows\help\iishelp\common\500-100.asp file for some
ideas on how the ASPError object works.
Cheers
Ken
"Jody" <Jody@discussions.microsoft.com> wrote in message
news:563029DF-15EF-4EE8-8D3D-5FCA50B3F48D@microsoft.com...[vbcol=seagreen]
> P.S. This site is hosted on a dedicated Windows 2003 Server running IIS
> 6.0.
>
> "Jody" wrote:
>
| |
|
| Thanks Ken,
If I understand you correctly, it is the 500-100.asp page that determins
what error(s) are added to website pages should there be an error?
I do not understand what you mean by:
> "Customise your website in IIS, so that the 500-100 error page points to your
> page, and not the default one supplied with IIS."
What page do I point the 500-100.asp file to? The website has numerous
pages?
Thanks - Jody
"Ken Schaefer" wrote:
> Create your own custom 500-100.asp error page.
>
> Customise your website in IIS, so that the 500-100 error page points to your
> page, and not the default one supplied with IIS.
>
> Then your message will be displayed. Additionally, if you make the custom
> page an ASP page itself, you can use the ASPError object to get details
> about the error and have them emailed to you (or logged to a database, event
> log etc).
>
> Take a look in c:\windows\help\iishelp\common\500-100.asp file for some
> ideas on how the ASPError object works.
>
> Cheers
> Ken
>
> "Jody" <Jody@discussions.microsoft.com> wrote in message
> news:563029DF-15EF-4EE8-8D3D-5FCA50B3F48D@microsoft.com...
>
>
>
| |
| Ken Schaefer 2006-07-13, 1:23 am |
| "Jody" <Jody@discussions.microsoft.com> wrote in message
news:1C3E68C9-506D-48EF-ADA7-6773C153B10D@microsoft.com...
> Thanks Ken,
>
> If I understand you correctly, it is the 500-100.asp page that determins
> what error(s) are added to website pages should there be an error?
When an ASP-related error occurs, IIS will transfer control to whatever is
configured as the error page for 500-100 type errors.
> I do not understand what you mean by:
>
>
> What page do I point the 500-100.asp file to? The website has numerous
> pages?
Create your own page that you would like displayed to users when an ASP
error occurs. Then configure IIS to use that page by changing the custom
errors property for 500-100 errors (500-100 errors are Internel Server
Errors generated by ASP-related problem).
Cheers
Ken
[vbcol=seagreen]
> Thanks - Jody
>
> "Ken Schaefer" wrote:
>
| |
|
| The error I mentioned in my example below was not occuring on a seperate
"error Page'. The error text was added to the existing webiste page at the
bottom as the page with the script error did finally display.
Also would an "ASP 0113" error be considered a 500-100 error? Just
wondering ig the leading zero makes this diffrent or not.
Thanks Ken
"Ken Schaefer" wrote:
> "Jody" <Jody@discussions.microsoft.com> wrote in message
> news:1C3E68C9-506D-48EF-ADA7-6773C153B10D@microsoft.com...
>
> When an ASP-related error occurs, IIS will transfer control to whatever is
> configured as the error page for 500-100 type errors.
>
>
>
> Create your own page that you would like displayed to users when an ASP
> error occurs. Then configure IIS to use that page by changing the custom
> errors property for 500-100 errors (500-100 errors are Internel Server
> Errors generated by ASP-related problem).
>
> Cheers
> Ken
>
>
>
>
>
>
| |
| Ken Schaefer 2006-07-13, 7:27 am |
| Hi Jody,
Please read the IIS documentation on custom error pages, and then come back
to us.
The purpose of a custom error page is that this custom page will be served
to the client when an error occurs *rather* that the customer seeing the
default.
For example, when a client requests a non-existant page, you can deliver a
custom 404 error page instead (404 is the HTTP status condition for File Not
Found).
500 errors conditions are "Internal Server Error". A 500-100 error is a
specific internal server error caused by an ASP related error.
So, you would create a custom 500-100 error page. When an ASP error occurs,
IIS will send this error page to the client, rather than the existing page +
error message that you are seeing at the moment
I'm not going to write out a whole tutorial on how to use IIS, because I
don't have time. That's what the online help is for. Please, read that, and
then get back to us on specific questions you might have.
Cheers
Ken
"Jody" <Jody@discussions.microsoft.com> wrote in message
news:4C1BAAB9-406B-4EDD-91EB-3C406FFED515@microsoft.com...[vbcol=seagreen]
> The error I mentioned in my example below was not occuring on a seperate
> "error Page'. The error text was added to the existing webiste page at
> the
> bottom as the page with the script error did finally display.
>
> Also would an "ASP 0113" error be considered a 500-100 error? Just
> wondering ig the leading zero makes this diffrent or not.
>
> Thanks Ken
>
> "Ken Schaefer" wrote:
>
| |
| Daniel Crichton 2006-07-13, 7:27 am |
| Jody wrote on Wed, 12 Jul 2006 20:31:01 -0700:
> The error I mentioned in my example below was not occuring on a seperate
> "error Page'. The error text was added to the existing webiste page at
> the bottom as the page with the script error did finally display.
>
> Also would an "ASP 0113" error be considered a 500-100 error? Just
> wondering ig the leading zero makes this diffrent or not.
Listen to Ken, he knows what he's talking about. I've got a 500-100.asp page
on my site that shows internal users the complete error message and
additional debugging info, and the general public a simple "an error has
occurred" message. I can't remember where I got the original code I
modified, but the MS Support site is a good place to start.
Dan
| |
|
| Thanks to you both. As far as reading ALL the IIS documentation much of it
is not related to what I am needing to know and would take days to sort
through. I am failry familure with IIS arelady it is only this part that I
was not sure about. I still do not have an answer to my question if the ASP
0311 error is in fact a 500-100 error or not?? I do appreciate Ken's
Explanation however it was not my intention to ask for a full on tutorial.
I did find the radio button in
IIS/Properties/HomeDirectory/Configuration/Debugging tab that allows you to
select what kind of messages are sent to the client or not. Perhaps this is
all I needed? I am waiting on the webmaster to test this by forcing an error
and see what happens.
"Daniel Crichton" wrote:
> Jody wrote on Wed, 12 Jul 2006 20:31:01 -0700:
>
>
> Listen to Ken, he knows what he's talking about. I've got a 500-100.asp page
> on my site that shows internal users the complete error message and
> additional debugging info, and the general public a simple "an error has
> occurred" message. I can't remember where I got the original code I
> modified, but the MS Support site is a good place to start.
>
> Dan
>
>
>
| |
| Daniel Crichton 2006-07-13, 1:21 pm |
| Jody wrote on Thu, 13 Jul 2006 08:07:01 -0700:
> Thanks to you both. As far as reading ALL the IIS documentation much of
> it is not related to what I am needing to know and would take days to sort
> through. I am failry familure with IIS arelady it is only this part that I
> was not sure about. I still do not have an answer to my question if the
> ASP 0311 error is in fact a 500-100 error or not?? I do appreciate Ken's
> Explanation however it was not my intention to ask for a full on tutorial.
From what I've seen, all ASP errors that are not generic server errors are
classed as 500-100. If you search google on "500-100.asp" you should find
plenty of pre-built scripts that will make life easier for you.
Dan
| |
| Ken Schaefer 2006-07-17, 7:23 am |
| > As far as reading ALL the IIS documentation much of it
> is not related to what I am needing to know and would take days to sort
> through.
Rubbish. It would probably take you about 5-10 minutes to read the relevant
parts.
> I still do not have an answer to my question if the ASP
> 0311 error is in fact a 500-100 error or not??
You could have simply *tested* this yourself.
Create your own custom 500-100 error page (it doesn't need to do anything
special - it could just say "this is a test page"). Then create an ASP page
that times out (it could just loop for 90 seconds doing nothing). Then see
if your custom error page is loaded or not.
That would have taken 10 seconds to create the page. 10 seconds to put it on
a test server. 90 seconds of waiting. All up, about 2 minutes of your life
to test.
We are not here to answer every question about everything. That's what
manuals are for. I am not going to retype stuff out of manuals and the
Microsoft KB - at some point you need to put in some effort yourself, to
solve what is ultimately your problem and not ours.
Cheers
Ken
"Jody" <Jody@discussions.microsoft.com> wrote in message
news:C485C39A-C364-4070-B925-E66E72FC6BA8@microsoft.com...[vbcol=seagreen]
> Thanks to you both. As far as reading ALL the IIS documentation much of
> it
> is not related to what I am needing to know and would take days to sort
> through. I am failry familure with IIS arelady it is only this part that I
> was not sure about. I still do not have an answer to my question if the
> ASP
> 0311 error is in fact a 500-100 error or not?? I do appreciate Ken's
> Explanation however it was not my intention to ask for a full on tutorial.
>
> I did find the radio button in
> IIS/Properties/HomeDirectory/Configuration/Debugging tab that allows you
> to
> select what kind of messages are sent to the client or not. Perhaps this
> is
> all I needed? I am waiting on the webmaster to test this by forcing an
> error
> and see what happens.
>
> "Daniel Crichton" wrote:
>
| |
|
| I appreciate the help and advice it has been very helpful and enlightining.
However there is no need to get nasty. I do not have ANY experience with
this portion of IIS NOR do I code. I am simply trying to figure out what to
asist the webmaster with.
I have a good direction togo in now and I very much appreciate that. I
think it would be nice that instead of assuming where I, or anyone else is
coming from, that it would be more polite to ask. My understanding is that
these forums are not only to help experts solve problems but also to assist
others with less experience. I am sorry if I offended you.
"Ken Schaefer" wrote:
>
> Rubbish. It would probably take you about 5-10 minutes to read the relevant
> parts.
>
>
> You could have simply *tested* this yourself.
>
> Create your own custom 500-100 error page (it doesn't need to do anything
> special - it could just say "this is a test page"). Then create an ASP page
> that times out (it could just loop for 90 seconds doing nothing). Then see
> if your custom error page is loaded or not.
>
> That would have taken 10 seconds to create the page. 10 seconds to put it on
> a test server. 90 seconds of waiting. All up, about 2 minutes of your life
> to test.
>
> We are not here to answer every question about everything. That's what
> manuals are for. I am not going to retype stuff out of manuals and the
> Microsoft KB - at some point you need to put in some effort yourself, to
> solve what is ultimately your problem and not ours.
>
> Cheers
> Ken
>
>
> "Jody" <Jody@discussions.microsoft.com> wrote in message
> news:C485C39A-C364-4070-B925-E66E72FC6BA8@microsoft.com...
>
>
>
|
|
|
|
|