1.3 Ensure 'directory browsing' is set to disabled

Information

Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in Internet Information Services, users receive a page that lists the contents of the directory when the following two conditions are met:
1. No specific file is requested in the URL
2. The Default Documents feature is disabled in IIS, or if it is enabled, IIS is unable to locate a file in the directory that matches a name specified in the IIS default document list

It is recommended that directory browsing be disabled.

Ensuring that directory browsing is disabled may reduce the probability of disclosing sensitive content that is inadvertently accessible via IIS.

Solution

Directory Browsing can be set by using the UI, running appcmd.exe commands, by editing configuration files directly, or by writing WMI scripts. To disable directory browsing at the server level using an appcmd.exe command:
%systemroot%\system32\inetsrv\appcmd set config /section:directoryBrowse /enabled:false

See Also

https://workbench.cisecurity.org/files/166

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|9.1

Plugin: Windows

Control ID: 0cda78d32da1f5ce001c8ac6c0e072dfc734bfeea0923ab48f780eb7fae00cbd