Configure IIS to return 404 for directory browse attempts

Question

In IIS (6 or 7), when Directory Browsing is disabled, IIS returns a "403 - Forbidden" error when it detects an attempt to browse a directory (eg "http://mydomain.com/folder").

Is there any way to configure IIS to return a "404 - Not Found" error instead of a "403" for directory browse attempts?

This is an asp.net webforms site.

A security scan of our site noted that returning "403" could assist a malicious person mapping our site; had not thought of that before, but I have to admit it makes sense.

Answer 1

The solution that worked for us (IIS7):

1. disable directory browsing => 403
2. create a default document (default.htm or whatever default file name is configured) => 200
3. set the default document's file attributes to hidden => 404

Answer 2

In IIS (7 and above) go to Request Filtering and there is a tab called Hidden Segments. You can just add the name of directory you want to be hidden and it will now return a 404.

Answer 3

If you are using ASP.Net MVC add the following handler into web.config

<system.webServer>
  <handlers>
    <add name="StopDirectoryBrowsing" path="*." resourceType="Directory" verb="*" 
         preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" />
  </handlers>
</system.webServer>