Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configure IIS to return 404 for directory browse attempts

Tags:

asp.net

iis

In IIS (6 or 7), when Directory Browsing is disabled, IIS returns a "403 - Forbidden" error when it detects an attempt to browse a directory (eg "http://mydomain.com/folder").

Is there any way to configure IIS to return a "404 - Not Found" error instead of a "403" for directory browse attempts?

This is an asp.net webforms site.

A security scan of our site noted that returning "403" could assist a malicious person mapping our site; had not thought of that before, but I have to admit it makes sense.

like image 859
Tom Regan Avatar asked Sep 16 '13 14:09

Tom Regan


3 Answers

The solution that worked for us (IIS7):

  1. disable directory browsing => 403
  2. create a default document (default.htm or whatever default file name is configured) => 200
  3. set the default document's file attributes to hidden => 404
like image 83
szd Avatar answered Nov 18 '22 11:11

szd


In IIS (7 and above) go to Request Filtering and there is a tab called Hidden Segments. You can just add the name of directory you want to be hidden and it will now return a 404.

like image 31
BrianH Avatar answered Nov 18 '22 10:11

BrianH


If you are using ASP.Net MVC add the following handler into web.config

<system.webServer>
  <handlers>
    <add name="StopDirectoryBrowsing" path="*." resourceType="Directory" verb="*" 
         preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" />
  </handlers>
</system.webServer>
like image 11
Hovhannes Hakobyan Avatar answered Nov 18 '22 09:11

Hovhannes Hakobyan