One of the most common errors while deploying ASP.NET websites into a production environment is to leave the Trace and Debug enabled or leave the custom errors attribute disabled.
Note: To improve performance, the recommended practice while deploying an ASP.NET application is to set Trace and Debug attributes to false and to improve security, leave the Custom Errors attribute enabled.
If you are a web administrator and have several websites deployed on your server, then here’s a simple tip to override these deployment mistakes. Just add the following element inside your machine.config file
<deployment retail="true" />
When retail is set to true, ASP.NET disables certain configuration settings such as trace output, custom errors, and debug capabilities.
Note: This value can only be set at the machine level, not at the application level.
Also make sure that you read this post from ScottGu’s blog Important: ASP.NET Security Vulnerability. This patch has to be applied even if you have the attribute retail=true on your machines.