When requesting a non-existent page (404.0) for debugging error log shows output error identification (which is useful for debugging applications), but it also shows the physical path to the web root.
This feature should be disabled on production servers. This data can provide an attacker with additional information about the infrastructure.
It can be modified in the IIS settings:
- Open the Internet Services Manager.
- Select the Default Web Site.
- Click the Error Pages icon.
- Choose the error 404, and then select the Edit button.