Disable Directory Listing in IIS
Solution 1
You need to disable directory browsing from IIS or from the web.config
<configuration>
<location path="Secured">
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
</location>
</configuration>
this entry above applies to IIS 7+, for IIS 6 you'll have to do it from IIS Manager
Solution 2
There are 2 ways using which you can disable the Directory Listing: This has been tested & works for IIS 10.
1. Web.config
<configuration>
<system.webServer>
<directoryBrowse enabled="false" /> <!--this line will disable directory browsing-->
</system.webServer>
</configuration>
2. IIS
Go to Internet Information Services(IIS) and look for the Directory Browser
option. Select it and on the right corner you see an option Open Feature
. Click on it and it will take you to another tab. Now select Disable and you see that the browsing has been disabled.
Related videos on Youtube
Comments
-
Tapas Bose almost 2 years
In my web application all the .aspx pages resides in Pages directory. The project structure is shown below:
The Home.aspx is set as Start Page and the Web.config file of the Pages folder contains:
<configuration> <location path="Secured"> <system.web> <authorization> <deny users="?"/> <allow users="*"/> </authorization> </system.web> </location> </configuration>
And the main Web.config has:
<authentication mode="Forms"> <forms loginUrl="~/Pages/Login.aspx" timeout="2880" defaultUrl="~/Pages/Secured/Home.aspx" /> </authentication>
So when the application launches it redirects to the Login page with the URL:
http://localhost:2453/Pages/Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx
Now if I delete the
Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx
from that URL and press enter it is taking me to the Directory Listing:
What I want that it will again send me to the Login page located at
How can I achieve this? Your help be appreciated.
Thanks.
The localhost:
-
Tapas Bose about 12 yearsThanks for reply. If I navigate to localhost as in the above image it is showing IIS7. But in Start->Control Panel->Administrative Tools I can see there are two Internet Information Services Managers. One is Internet Information Services (IIS) 6.0 Managers and another Internet Information (IIS) Services Managers. I am unable to understand whether or not I am running in IIS7. Also I am executing the application from Visual Studio. I have tried your code both in main Web.config and in Web.config of Pages. But none of them is working. How can I disable it from IIS6 Manager?
-
scartag about 12 years@Tapas Bose currently your app is running on Asp.net development server (Cassini). You may have to configure it to run on IIS by going to the project properties > Web tab and setting it to IIS and creating a virtual directory
-
Tapas Bose about 12 yearsI have added your code in main Web.config and have changed the properties to use Local IIS server and now I am getting HTTP Error 403.14 - Forbidden error message if I try to browse localhost/EMSApplication.Web/Pages. This will help to protect the website. But isn't there any way to redirect again in Login page? Thanks for your help.
-
scartag about 12 years@TapasBose maybe you should put a default page on that folder (Default.aspx) a 403.14 means it can't load any default doc and from your screenshots i can see you don't have a default document.