Directory browsing must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6755 | WA000-WI090 IIS6 | SV-38016r1_rule | ECSC-1 | Medium |
| Description |
|---|
| This ensures the directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the web service. The Directory Browsing feature can be used to facilitate a directory traversal and subsequent directory traversal exploits. |
| STIG | Date |
|---|---|
| IIS6 Site | 2015-06-01 |
Details
| Check Text ( C-37368r1_chk ) |
|---|
| 1. Open the IIS Manager > Right click on the web site under review > Select properties > Select the Home Directory tab. 2. Ensure the Directory browsing check box is not selected. NOTE: This procedure should be complete on all Directories (including Sub-Directories) and Virtual Directories within the site. If the Directory Browsing feature is enabled this is a finding. |
| Fix Text (F-32605r1_fix) |
|---|
| 1. Open the IIS Manager > Right click on the website under review > Select properties > Select the Home Directory tab. 2. Uncheck the Directory browsing check box. NOTE: This procedure should be complete on all Directories (including Sub-Directories) and Virtual Directories within the site. |