Substatus Error Codes
Applies To: Windows Server 2003, Windows Server 2003 with SP1
In an effort to reduce the attack surface of IIS, in IIS 6.0, error messages do not return specific error message content, including the substatus error code, to clients. However, to allow administrators to track errors and debug failed requests, IIS provides the ability to record substatus error codes in the W3C Extended log file format. Substatus error code logging is enabled by default. For more information about enabling and disabling substatus error code logging, see Substatus Error Codes in Log Files.
If an error message contains too much information about the server and an explanation of why a particular request failed to execute, malicious users can use the information from the error message to attack the server. For example, an error code such as 404.2 indicates that a file or directory is not returned because the server lockdown policy restricts it. In IIS 6.0, a 404.2 error is returned to the client as a 404 error message. The simple 404 error message does not provide a malicious user with any details about the configuration of the server.
When substatus error code logging is enabled by default, only members of the Administrators group and users with LocalSystem user accounts can access log files that contain substatus error codes. To analyze an error, the administrator locates the error and substatus error code in the log file and checks the code against the IIS 6.0 HTTP.sys error code list. For example, if a client request to an Active Server Pages (ASP) page returned a 403 error, the administrator can determine that the actual error was 403.9 by viewing the log file. The administrator checks the IIS 6.0 HTTP.sys error code list and learns that, in this situation, the file or directory was not found because too many clients were trying to connect to the server at once. The administrator can remedy the situation quickly and easily by changing the maximum number of connections setting to unlimited. To see the IIS 6.0 HTTP.sys error code list, see HTTP Status Codes in IIS 6.0.