SYSK 126: Protect Yourself – Use ‘deployment retail’ Setting
As you know, compiling your web application with <compilation debug=”true”/> in web.config creates debug binaries rather than retail binaries -- see SYSK 101: How to Release Build an ASP.NET application (http://blogs.msdn.com/irenak/archive/2006/04/10/572415.aspx).
Besides the fact that your code will not be optimized (i.e. performance may not be optimum), and the fact that your ASP.NET requests will not timeout (naturally, during the debug mode you want to take your time stepping through the code without being under same max execution timeout as in production), using a debug version in production environment is like opening a door and inviting hackers!
.NET 2.0 has a new setting for machine.config file:
<configuration>
<system.web>
<deployment retail=”true”/>
</system.web>
</configuration>
By setting ‘deployment retail’ setting to true, you’re telling ASP.NET to disable certain configuration settings such as trace output, custom errors, and debug capabilities regardless of the instructions in your web.config file.
So, protect yourself by setting <deployment retail=”true”/> in machine.config on your production servers!