What is directory browsing IIS
A website directory, also known as a virtual directory functions similarly to a folder on a local machine, however, it exists on the web server’s file system and provides a structured and secure way to organize website content on an IIS server.
Website directories act as logical containers for all the files that make up your website, including HTML pages, images, scripts, music, configuration files, and application binaries. Permissions assigned to directories control access to their contents. This allows you to restrict access to sensitive files or entire sections of your website.
IIS directory browsing URLs
Web servers translate these website directory folders into URLs, enabling users to access website content through their web browsers. For instance, a file named “contact.html” within a “/contact” directory might be accessible via the URL https//www.calcomsoftware.com/contact.
When directory browsing is enabled, visitors can see and navigate through the list of files and folders in that directory. This gives them access to all content of the website.
When IIS Directory browsing is disabled, visitors won’t see the list of files and folders. Instead, they’ll only see the specific files you link to from your website, such as web pages, images, or downloads. This keeps the contents of the directory hidden unless you specifically provide links to them.
Why it’s important to restrict directory browsing
For security reasons, directory browsing is usually disabled by default to prevent unauthorized access to sensitive files and the underlying directory structure. Although it is possible to select which directory or directories have browning enabled, there is still the possibility of an attacker gaining access to the entire directory, including sensitive files and folders.
This can be done in a variety of ways, including using disclosed information for future attacks, exploiting known vulnerabilities within a script or application used or brute force guessing to gain access to a website or sensitive data.
How to enable directory browsing
By following the following procedure by Microsoft, you can enable directory browsing:
(https://learn.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse)
How to enable directory browsing
- Open Internet Information Services (IIS) Manager:
- If you are using Windows Server 2012 or Windows Server 2012 R2:
- On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows 8 or Windows 8.1:
- Hold down the Windows key, press the letter X, and then click Control Panel.
- Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
2. In the Connections pane, expand the server name, and then go to the site, application, or directory where you want to enable directory browsing.
3. In the Home pane, double-click Directory Browsing
4. In the Actions pane, click Enable.
5. In the Directory Browsing pane, select the options that correspond to the information you want to display for each item in the directory, and then click Apply.
How to disable directory browsing
There are a number of ways to disable directory browsing including using the built in UI, running appcmd.exe commands, by editing configuration files directly, or by writing WMI scripts.
To disable directory browsing at the server level using an appcmd.exe command:
Enter the following command in AppCmd.exe to configure:
| %systemroot%\system32\inetsrv\appcmd set config/section:directoryBrowse/enabled:false |
OR
Enter the following command in PowerShell to configure:
| Set-WebConfigurationProperty -Filter system.webserver/directorybrowse -PSPath
iis:\ -Name Enabled -Value False |
Direct browsing in IIS compatibility
The following table shows which versions of IIS are compatible with directory browsing:
| Version | Notes |
| IIS 10.0 | The <directoryBrowse> element was not modified in IIS 10.0. |
| IIS 8.5 | The <directoryBrowse> element was not modified in IIS 8.5. |
| IIS 8.0 | The <directoryBrowse> element was not modified in IIS 8.0. |
| IIS 7.5 | The <directoryBrowse> element was not modified in IIS 7.5. |
| IIS 7.0 | The <directoryBrowse> element was introduced in IIS 7.0. |
| IIS 6.0 | The <directoryBrowse> element replaces the IIS 6.0 DirBrowseFlags metabase property. |
Attributes
The following table shows the attributes associated with the different configurations of the directory browsing setting:
| Attribute | Description |
| enabled | Optional Boolean attribute. |
| Specifies whether directory browsing is enabled (true) or disabled (false) on the Web server. | |
| The default value is false. | |
| showFlags | Optional flags attribute. |
| The showFlags attribute can have one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). The default values are Date, Time, Size, Extension. |
Default value
In IIS, directory browsing is disabled by default.
Recommended setting
Disabled
Best practices
Understanding the role of directory browsing is essential for efficient website management, security configuration, and application deployment within the IIS environment. Server hardening is a stress free alternative to spending hundreds of hours to understand each individual security setting in IIS whilst being confident your information and data is well looked after.
Subscribe to Email Updates
- Posts by Topic
- Center for Internet Security (20)
- Compliance (23)
- Configuration Settings (83)
- Domain Controller (3)
- IIS (5)
- NIST (10)
- NTLM (8)
- PCI (3)
- PowerShell (7)
- Remote Desktop Protocol (4)
- Security Account Manager (5)
- Security Guides (16)
- Server Message Block (1)
- SQL (8)
- System Hardening (19)
- TLS SSL (4)
- Vulnerabilities (22)
