Technology Toolbox

Your technology Sherpa for the Microsoft platform

Jeremy Jameson - Founder and Principal



Is directory browsing enabled or disabled on your website?

A few weeks ago I was investigating an issue with the Technology Toolbox website and I discovered that directory browsing was enabled. This came as quite a shock since I was 99% certain that directory browsing is disabled by default in IIS.

If I recall correctly, a big part of Windows Server 2003 (and IIS 6) was to change the default settings to provide a minimal attack surface. [Remember Code Red, Nimbda, et al.? Boy, I definitely don't miss those days at all -- especially since I was an employee of Microsoft throughout those times. Talk about developing a "tough skin" ;-)]

After a quick search for "WinHost directory browsing" I quickly discovered this is actually documented on the WinHost site:

... By default, directory browsing is enabled.
WinHost Support Portal - Can I control directory browsing on my site?

Well shiver me timbers, mateys!

Using IIS Manager, I made a quick change to disable directory browsing on This added the following element to the Web.config file:

    <directoryBrowse enabled="false" />

The next time I create a new ASP.NET application to be hosted externally, I think it would be wise to just add this to the Web.config file in the beginning.


No comments posted yet.

Add Comment

Optional, but recommended (especially if you have a Gravatar). Note that your email address will not appear with your comment.
If URL is specified, it will be included as a link with your name.

To prevent spam from being submitted, please select the following fruit: Watermelon

Please add 4 and 6 and type the answer here: