Title

Directory browsing must be disabled. (Cat II impact)

Discussion

This ensures the directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the web service. The Directory Browsing feature can be used to facilitate a directory traversal and subsequent directory traversal exploits.

Check Content

1. Open the IIS Manager > Right click on the web site under review > Select properties > Select the Home Directory tab. 2. Ensure the Directory browsing check box is not selected. NOTE: This procedure should be complete on all Directories (including Sub-Directories) and Virtual Directories within the site. If the Directory Browsing feature is enabled this is a finding.

Fix Text

1. Open the IIS Manager > Right click on the website under review > Select properties > Select the Home Directory tab. 2. Uncheck the Directory browsing check box. NOTE: This procedure should be complete on all Directories (including Sub-Directories) and Virtual Directories within the site.

Additional Identifiers

Rule ID: SV-38016r1_rule

Vulnerability ID: V-6755

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.