1.3 Ensure 'directory browsing' is set to disabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in Internet Information Services, users receive a page that lists the contents of the directory when the following two conditions are met:
1. No specific file is requested in the URL
2. The Default Documents feature is disabled in IIS, or if it is enabled, IIS is unable to locate a file in the directory that matches a name specified in the IIS default document list
It is recommended that directory browsing be disabled.
Rationale:
Ensuring that directory browsing is disabled may reduce the probability of disclosing sensitive content that is inadvertently accessible via IIS.

Solution

Directory Browsing can be set by using the UI, running appcmd.exe commands, by editing configuration files directly, or by writing WMI scripts. To disable directory browsing at the server level using an appcmd.exe command:
Enter the following command in AppCmd.exe to configure:
%systemroot%\system32\inetsrv\appcmd set config /section:directoryBrowse /enabled:false
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -Filter system.webserver/directorybrowse -PSPath iis:\ -Name Enabled -Value False
Default Value:
In IIS, directory browsing is disabled by default.

See Also

https://workbench.cisecurity.org/files/2297