Disable Directory Listing in IIS

Asked 21/3, 2012 at 14:19 Answered 10/6, 2020 at 13:7

Solved asp.net url iis directory-listing

In my web application all the .aspx pages resides in Pages directory. The project structure is shown below:

enter image description here

The Home.aspx is set as Start Page and the Web.config file of the Pages folder contains:

<configuration>
<location path="Secured">
    <system.web>
    <authorization>     
        <deny users="?"/>
        <allow users="*"/>
    </authorization>
    </system.web>
</location>
</configuration>

And the main Web.config has:

<authentication mode="Forms">
  <forms loginUrl="~/Pages/Login.aspx" timeout="2880" defaultUrl="~/Pages/Secured/Home.aspx" />
</authentication>

So when the application launches it redirects to the Login page with the URL:

http://localhost:2453/Pages/Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx

Now if I delete the

Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx

from that URL and press enter it is taking me to the Directory Listing:

enter image description here

What I want that it will again send me to the Login page located at

http://localhost:2453/Pages/Login.aspx

How can I achieve this? Your help be appreciated.

Thanks.

The localhost: enter image description here

Monetary answered 21/3, 2012 at 14:19 Comment(0)

You need to disable directory browsing from IIS or from the web.config

<configuration>
  <location path="Secured">
    <system.webServer>
      <directoryBrowse enabled="false" />
    </system.webServer>
  </location>
</configuration>

this entry above applies to IIS 7+, for IIS 6 you'll have to do it from IIS Manager

Jonna answered 21/3, 2012 at 14:22 Comment(4)

Thanks for reply. If I navigate to localhost as in the above image it is showing IIS7. But in Start->Control Panel->Administrative Tools I can see there are two Internet Information Services Managers. One is Internet Information Services (IIS) 6.0 Managers and another Internet Information (IIS) Services Managers. I am unable to understand whether or not I am running in IIS7. Also I am executing the application from Visual Studio. I have tried your code both in main Web.config and in Web.config of Pages. But none of them is working. How can I disable it from IIS6 Manager? – Monetary 21/3, 2012 at 14:36

@Tapas Bose currently your app is running on Asp.net development server (Cassini). You may have to configure it to run on IIS by going to the project properties > Web tab and setting it to IIS and creating a virtual directory – Jonna 21/3, 2012 at 14:39

I have added your code in main Web.config and have changed the properties to use Local IIS server and now I am getting HTTP Error 403.14 - Forbidden error message if I try to browse localhost/EMSApplication.Web/Pages. This will help to protect the website. But isn't there any way to redirect again in Login page? Thanks for your help. – Monetary 21/3, 2012 at 15:14

@TapasBose maybe you should put a default page on that folder (Default.aspx) a 403.14 means it can't load any default doc and from your screenshots i can see you don't have a default document. – Jonna 21/3, 2012 at 15:23

There are 2 ways using which you can disable the Directory Listing: This has been tested & works for IIS 10.

1. Web.config

<configuration>
   <system.webServer>
       <directoryBrowse enabled="false" /> <!--this line will disable directory browsing-->
   </system.webServer>
</configuration>

2. IIS

Go to Internet Information Services(IIS) and look for the Directory Browser option. Select it and on the right corner you see an option Open Feature. Click on it and it will take you to another tab. Now select Disable and you see that the browsing has been disabled.

Immigration answered 10/6, 2020 at 13:7 Comment(0)

1. Web.config

2. IIS

Recommended topics

Hot tags