Directory Browsing IIS –  keep it behind closed doors

Directory Browsing IIS – keep it behind closed doors

4 Minutes Read Updated on May 21, 2025

What is directory browsing IIS

A website directory, also known as a virtual directory functions similarly to a folder on a local machine, however, it exists on the web server’s file system and provides a structured and secure way to organize website content on an IIS server.

Website directories act as logical containers for all the files that make up your website, including HTML pages, images, scripts, music, configuration files, and application binaries. Permissions assigned to directories control access to their contents. This allows you to restrict access to sensitive files or entire sections of your website.


IIS directory browsing URLs

 

Web servers translate these website directory folders into URLs, enabling users to access website content through their web browsers. For instance, a file named “contact.html” within a “/contact” directory might be accessible via the URL https//https://calcomsoftware.com/contact-us/.

 

When directory browsing is enabled, visitors can see and navigate through the list of files and folders in that directory. This gives them access to all content of the website.

When IIS Directory browsing is disabled, visitors won’t see the list of files and folders. Instead, they’ll only see the specific files you link to from your website, such as web pages, images, or downloads. This keeps the contents of the directory hidden unless you specifically provide links to them.

IIS 10 CIS Benchmark Audit Procedure using PowerShell

Why it’s important to restrict directory browsing

 

For security reasons, directory browsing is usually disabled by default to prevent unauthorized access to sensitive files and the underlying directory structure. Although it is possible to select which directory or directories have browning enabled, there is still the possibility of an attacker gaining access to the entire directory, including sensitive files and folders.

This can be done in a variety of ways, including using disclosed information for future attacks, exploiting known vulnerabilities within a script or application used or brute force guessing to gain access to a website or sensitive data.

How to enable directory browsing

 

By following the following procedure by Microsoft, you can enable directory browsing:
(https://learn.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse)

How to enable directory browsing

  1. Open Internet Information Services (IIS) Manager:
  • If you are using Windows Server 2012 or Windows Server 2012 R2:
  • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
  • If you are using Windows 8 or Windows 8.1:
  • Hold down the Windows key, press the letter X, and then click Control Panel.
  • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  • If you are using Windows Server 2008 or Windows Server 2008 R2:
  • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  • If you are using Windows Vista or Windows 7:
  • On the taskbar, click Start, and then click Control Panel.
  • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

2. In the Connections pane, expand the server name, and then go to the site, application, or directory where you want to enable directory browsing.

3. In the Home pane, double-click Directory Browsing

directory browsing

4. In the Actions pane, click Enable.

enable directory browsing

5. In the Directory Browsing pane, select the options that correspond to the information you want to display for each item in the directory, and then click Apply.

How to disable directory browsing

There are a number of ways to disable directory browsing including using the built in UI,   running appcmd.exe commands, by editing configuration files directly, or by writing WMI scripts.

To disable directory browsing at the server level using an appcmd.exe command:

Enter the following command in AppCmd.exe to configure:

%systemroot%system32inetsrvappcmd set config/section:directoryBrowse/enabled:false

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -Filter system.webserver/directorybrowse -PSPath

iis: -Name Enabled -Value False

Direct browsing in IIS compatibility

The following table shows which versions of IIS are compatible with directory browsing:

Version Notes
IIS 10.0 The <directoryBrowse> element was not modified in IIS 10.0.
IIS 8.5 The <directoryBrowse> element was not modified in IIS 8.5.
IIS 8.0 The <directoryBrowse> element was not modified in IIS 8.0.
IIS 7.5 The <directoryBrowse> element was not modified in IIS 7.5.
IIS 7.0 The <directoryBrowse> element was introduced in IIS 7.0.
IIS 6.0 The <directoryBrowse> element replaces the IIS 6.0 DirBrowseFlags metabase property.

Attributes

The following table shows the attributes associated with the different configurations of the directory browsing setting:

Attribute Description
enabled Optional Boolean attribute.
Specifies whether directory browsing is enabled (true) or disabled (false) on the Web server.
The default value is false.
showFlags Optional flags attribute.
The showFlags attribute can have one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). The default values are Date, Time, Size, Extension.

 

Default value

 

In IIS, directory browsing is disabled by default.

Recommended setting

 Disabled

Best practices

Understanding the role of directory browsing is essential for efficient website management, security configuration, and application deployment within the IIS environment. Server hardening is a stress free alternative to spending hundreds of hours to understand each individual security setting in IIS whilst being confident your information and data is well looked after.

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

Disable SMBv1 to Mitigate EternalRocks

Disable SMBv1 to Mitigate EternalRocks

May 28, 2017

A new worm named EternalRocks is in the news this week . EternalRocks leverages some of the…

Ultimate Guide to Security Impact Analysis: Essential Checklists

Ultimate Guide to Security Impact Analysis: Essential Checklists

January 26, 2024

When planning a hardening project for information security, there are two types of impact analysis…

RPC Endpoint Mapper Authentication and Hardening

RPC Endpoint Mapper Authentication and Hardening

May 30, 2024

RPC Endpoint Mapper This policy setting determines if RPC clients authenticate with the Endpoint Mapper…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article