How to customize the content of each http error pages? such as 404,403,or 500,503 etc.

Hello,

I need a way to configure Error pages of IIS 7.0 on Windows Server 2008
individually. If we set Error Responses as Detailed Errors in the Error
pages ,the error page will show sensitive details , such as the web site's
physical path. And we do not want to set the same error page for all errors.
How can we hide the information that we don't want to be seen by our
customer?
For example, how to customize the content of each http error pages? such as
404,403,or 500,503 etc?

Thanks a lot!

Warm Regards,

--



Fancy Fan
----------------------------------------------------
3/F.,HiChina Mansion,No.27 Gulouwai Avenue Dongcheng
District,Beijing 100011,China
Website: http://www.net.cn
E-Mail: Fancy@hichina.com
Phone: 86-10-64242299 ext 6922
Mobile: 13910686410

Ken
Mon Mar 10 06:18:33 CDT 2008

Open IIS Manager, and for the server, website or web application you wish to
change the error messages for, locate the "Error Pages" icon. Open this
feature to list available errors that can be customised, and their
properties.

Some error messages (e.g. 503 Service Unavailable) are generated by
http.sys, and they can't be customised inside IIS

Cheers
Ken

--
My IIS blog: http://adopenstatic.com/blog

"Fancy Fan" <FancyFan@community.nospam> wrote in message
news:%23xJAgZpgIHA.5260@TK2MSFTNGP03.phx.gbl...
> Hello,
>
> I need a way to configure Error pages of IIS 7.0 on Windows Server 2008
> individually. If we set Error Responses as Detailed Errors in the Error
> pages ,the error page will show sensitive details , such as the web site's
> physical path. And we do not want to set the same error page for all
> errors. How can we hide the information that we don't want to be seen by
> our customer?
> For example, how to customize the content of each http error pages? such
> as 404,403,or 500,503 etc?
>
> Thanks a lot!
>
> Warm Regards,
>
> --
>
>
>
> Fancy Fan
> ----------------------------------------------------
> 3/F.,HiChina Mansion,No.27 Gulouwai Avenue Dongcheng
> District,Beijing 100011,China
> Website: http://www.net.cn
> E-Mail: Fancy@hichina.com
> Phone: 86-10-64242299 ext 6922
> Mobile: 13910686410
>

wjzhang
Tue Mar 11 05:01:25 CDT 2008

Hi Fancy,

The default setting of <httpErrors> section's errorMode attribute is
DetailedLocalOnly which means detailed error info will only be returned to
local accesses. Remote users will not see the detailed troubleshooting
info. Can't this achieve your requirement?

If not, please further clarify the exact problem you are looking for. Do
you want to keep using the pages of Detailed Errors and need to
customize/remove some sensitive sections from them? The information in
default Custom error pages are not enough.

Am I understanding correctly on this?

Thanks and have a nice day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

wjzhang
Thu Mar 13 07:02:07 CDT 2008

Hi Fancy,

Just want to check if you have any update on this?

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Fancy
Wed Mar 19 04:17:13 CDT 2008

Hi WenJun and all,

Thanks for your help first!
As you said, DetailedLocalOnly cannot achieve our requirement.
I hope we can customize the content of specific error pages. For example, I
need create a static error page for Error:404 not found instead of the
default 404 error page. Also I need create a static error page for
Error:403, 401. But the same time, I need keep default error page for
Error:500 internal server errors so that customers can see the detail
information about the error reasons. That means I want to find a way to
define every error page for website, some in static, some in
detail(default).
The problem is once I customerize one error page( locate the "Error Pages"),
I must choose display all error pages in this way. That's not convenient for
us. Do you have a better solution?

Thank you so much!

Fancy

19th Mar



""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> дÈëÏûÏ¢
news:mUh$m71gIHA.1500@TK2MSFTNGHUB02.phx.gbl...
> Hi Fancy,
>
> The default setting of <httpErrors> section's errorMode attribute is
> DetailedLocalOnly which means detailed error info will only be returned to
> local accesses. Remote users will not see the detailed troubleshooting
> info. Can't this achieve your requirement?
>
> If not, please further clarify the exact problem you are looking for. Do
> you want to keep using the pages of Detailed Errors and need to
> customize/remove some sensitive sections from them? The information in
> default Custom error pages are not enough.
>
> Am I understanding correctly on this?
>
> Thanks and have a nice day.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg@microsoft.com.
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>

David
Thu Mar 20 04:27:36 CDT 2008

Detailed custom errors for customers is a fatal security flaw. This is
why detailed errors are restricted to local by default.

IIS7 allows configuration of static custom error pages for 401, 403,
404, etc, though not all HTTP status codes (like 400, 411, 503, etc)
because HTTP.SYS returns them without telling IIS about it.

My advice is to just configure your custom errors using static pages.
Your desire to reveal server configuration to customers is insecure.
You can easily customize the 500 error page to send your support staff
the detailed email and a simple apology to the customer -- that is far
more secure than dumping the error to the customer and hope they tell
you about it.

FYI: it is possible for applications on top of IIS to send "custom
error pages" which are not caught by the IIS custom error page handler
(for example, application that send its own 404 Not Found page but
sets the HTTP status as 200). Those applications deliberately fool IIS
(and your attempts to customize its error pages).


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Mar 19, 2:17=A0am, "Fancy Fan" <Fancy...@community.nospam> wrote:
> Hi WenJun and all,
>
> Thanks for your help first!
> As you said, DetailedLocalOnly cannot achieve our requirement.
> I hope we can customize the content of specific error pages. For example, =
I
> need create a static error page for Error:404 not found instead of the
> default 404 error page. Also I need create a static error page for
> Error:403, 401. But the same time, I need keep default error page for
> Error:500 internal server errors so that customers can see the detail
> information about the error reasons. That means I want to find a way to
> define every error page for website, some in static, some in
> detail(default).
> The problem is once I customerize one error page( locate the "Error Pages"=
),
> I must choose display all error pages in this way. That's not convenient f=
or
> us. Do you have a better solution?
>
> Thank you so much!
>
> Fancy
>
> 19th Mar
>
> ""WenJun Zhang[msft]"" <wjzh...@online.microsoft.com> =D0=B4=C8=EB=CF=FB=
=CF=A2news:mUh$m71gIHA.1500@TK2MSFTNGHUB02.phx.gbl...
>
>
>
> > Hi Fancy,
>
> > The default setting of <httpErrors> section's errorMode attribute is
> > DetailedLocalOnly which means detailed error info will only be returned =
to
> > local accesses. Remote users will not see the detailed troubleshooting
> > info. Can't this achieve your requirement?
>
> > If not, please further clarify the exact problem you are looking for. Do=

> > you want to keep using the pages of Detailed Errors and need to
> > customize/remove some sensitive sections from them? The information in
> > default Custom error pages are not enough.
>
> > Am I understanding correctly on this?
>
> > Thanks and have a nice day.
>
> > Sincerely,
>
> > WenJun Zhang
>
> > Microsoft Online Community Support
>
> > Delighting our customers is our #1 priority. We welcome your comments an=
d
> > suggestions about how we can improve the support we provide to you. Plea=
se
> > feel free to let my manager know what you think of the level of service
> > provided. You can send feedback directly to my manager at:
> > msd...@microsoft.com.
>
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
> > Get notification to my posts through email? Please refer to
> >http://msdn.microsoft.com/subscriptions/managednewsgroups/default.asp...
> > ications.
>
> > Note: The MSDN Managed Newsgroup support offering is for non-urgent issu=
es
> > where an initial response from the community or a Microsoft Support
> > Engineer within 1 business day is acceptable. Please note that each foll=
ow
> > up response may take approximately 2 business days as the support
> > professional working with you may need further investigation to reach th=
e
> > most efficient resolution. The offering is not appropriate for situation=
s
> > that require urgent, real-time or phone-based interactions or complex
> > project analysis and dump analysis issues. Issues of this nature are bes=
t
> > handled working with a dedicated Microsoft Support Engineer by contactin=
g
> > Microsoft Customer Support Services (CSS) at
> >http://msdn.microsoft.com/subscriptions/support/default.aspx.
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.- Hide quoted text -
>
> - Show quoted text -

wjzhang
Thu Mar 20 04:39:59 CDT 2008

Hi Fancy,

I've confirmed with our IIS dev team for this issue. The default details
error page cannot be customized currently. The proper approach is still
creating your own custom error page for different error codes.

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Fancy
Fri Mar 21 04:55:07 CDT 2008

Got it, thanks a lot!

Warm Regards,

Fancy

"David Wang" <w3.4you@gmail.com> ????
news:011c423c-e479-43fb-8e35-52e6cf9206e6@c19g2000prf.googlegroups.com...
Detailed custom errors for customers is a fatal security flaw. This is
why detailed errors are restricted to local by default.

IIS7 allows configuration of static custom error pages for 401, 403,
404, etc, though not all HTTP status codes (like 400, 411, 503, etc)
because HTTP.SYS returns them without telling IIS about it.

My advice is to just configure your custom errors using static pages.
Your desire to reveal server configuration to customers is insecure.
You can easily customize the 500 error page to send your support staff
the detailed email and a simple apology to the customer -- that is far
more secure than dumping the error to the customer and hope they tell
you about it.

FYI: it is possible for applications on top of IIS to send "custom
error pages" which are not caught by the IIS custom error page handler
(for example, application that send its own 404 Not Found page but
sets the HTTP status as 200). Those applications deliberately fool IIS
(and your attempts to customize its error pages).


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Mar 19, 2:17 am, "Fancy Fan" <Fancy...@community.nospam> wrote:
> Hi WenJun and all,
>
> Thanks for your help first!
> As you said, DetailedLocalOnly cannot achieve our requirement.
> I hope we can customize the content of specific error pages. For example,
> I
> need create a static error page for Error:404 not found instead of the
> default 404 error page. Also I need create a static error page for
> Error:403, 401. But the same time, I need keep default error page for
> Error:500 internal server errors so that customers can see the detail
> information about the error reasons. That means I want to find a way to
> define every error page for website, some in static, some in
> detail(default).
> The problem is once I customerize one error page( locate the "Error
> Pages"),
> I must choose display all error pages in this way. That's not convenient
> for
> us. Do you have a better solution?
>
> Thank you so much!
>
> Fancy
>
> 19th Mar
>
> ""WenJun Zhang[msft]"" <wjzh...@online.microsoft.com>
> дÈëÏûÏ¢news:mUh$m71gIHA.1500@TK2MSFTNGHUB02.phx.gbl...
>
>
>
> > Hi Fancy,
>
> > The default setting of <httpErrors> section's errorMode attribute is
> > DetailedLocalOnly which means detailed error info will only be returned
> > to
> > local accesses. Remote users will not see the detailed troubleshooting
> > info. Can't this achieve your requirement?
>
> > If not, please further clarify the exact problem you are looking for. Do
> > you want to keep using the pages of Detailed Errors and need to
> > customize/remove some sensitive sections from them? The information in
> > default Custom error pages are not enough.
>
> > Am I understanding correctly on this?
>
> > Thanks and have a nice day.
>
> > Sincerely,
>
> > WenJun Zhang
>
> > Microsoft Online Community Support
>
> > Delighting our customers is our #1 priority. We welcome your comments
> > and
> > suggestions about how we can improve the support we provide to you.
> > Please
> > feel free to let my manager know what you think of the level of service
> > provided. You can send feedback directly to my manager at:
> > msd...@microsoft.com.
>
> > ==================================================
> > Get notification to my posts through email? Please refer to
> >http://msdn.microsoft.com/subscriptions/managednewsgroups/default.asp...
> > ications.
>
> > Note: The MSDN Managed Newsgroup support offering is for non-urgent
> > issues
> > where an initial response from the community or a Microsoft Support
> > Engineer within 1 business day is acceptable. Please note that each
> > follow
> > up response may take approximately 2 business days as the support
> > professional working with you may need further investigation to reach
> > the
> > most efficient resolution. The offering is not appropriate for
> > situations
> > that require urgent, real-time or phone-based interactions or complex
> > project analysis and dump analysis issues. Issues of this nature are
> > best
> > handled working with a dedicated Microsoft Support Engineer by
> > contacting
> > Microsoft Customer Support Services (CSS) at
> >http://msdn.microsoft.com/subscriptions/support/default.aspx.
> > ==================================================
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.- Hide quoted text -
>
> - Show quoted text -

Fancy
Fri Mar 21 04:55:26 CDT 2008

Got it, thanks a lot!

Warm Regards,

Fancy

""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> дÈëÏûÏ¢
news:zrZ3i5miIHA.4200@TK2MSFTNGHUB02.phx.gbl...
> Hi Fancy,
>
> I've confirmed with our IIS dev team for this issue. The default details
> error page cannot be customized currently. The proper approach is still
> creating your own custom error page for different error codes.
>
> Thanks.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg@microsoft.com.
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>