WA000-WI090 IIS6 - Directory browsing must be disabled.

Information

This ensures the directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the web service. The Directory Browsing feature can be used to facilitate a directory traversal and subsequent directory traversal exploits.

Solution

1. Open the IIS Manager > Right click on the website under review > Select properties > Select the Home Directory tab.
2. Uncheck the Directory browsing check box.

NOTE: This procedure should be complete on all Directories (including Sub-Directories) and Virtual Directories within the site.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, Rule-ID|SV-38016r1_rule, STIG-ID|WA000-WI090_IIS6, Vuln-ID|V-6755

Plugin: Windows

Control ID: 85b4cfe85070821b5044e149f01e4b21ae2577a0cce0b4c4a727d8bb01b936fc