1.3 Ensure 'Directory browsing' is set to Disabled - directory browsing is set to disabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in Internet Information Services, users receive a page that lists the contents of the directory when the following two conditions are met:

No specific file is requested in the URL

The Default Documents feature is disabled in IIS, or if it is enabled, IIS is unable to locate a file in the directory that matches a name specified in the IIS default document list

Note: If directory browsing is enabled (an exception to this recommendation), make sure that it is only enabled on the particular directory or directories that need to be shared.

Rationale:

Ensuring that directory browsing is disabled may reduce the probability of disclosing sensitive content that is inadvertently accessible via IIS.

Impact:

Users will not be able to see the contents of directories.

Solution

Directory Browsing can be set by using the UI, running appcmd.exe commands, by editing configuration files directly, or by writing WMI scripts. To disable directory browsing at the server level using an appcmd.exe command:

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config /section:directoryBrowse /enabled:false

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -Filter system.webserver/directorybrowse -PSPath iis:\ -Name Enabled -Value False

Default Value:

In IIS, directory browsing is disabled by default.

See Also

https://workbench.cisecurity.org/files/4131