Configuring Internet Information Services to avoid the detection of hidden directories
Web-based applications sometimes inadvertently expose a site's directory structure. Although the exposed directories do not list their contents, the exposed directory information is detrimental to the site's overall security. By knowing a directory’s name, a potential hacker can guess its content and possible file names that are in it. Sensitive content can pose a severe security threat when directory names are exposed.
To avoid this potential security risk, you can issue 404 - Not Found response status codes instead of 403 - Forbidden response status codes. This change obfuscates the presence of directories on the site, and prevents the site structure from being exposed.
You must be a member of the Administrators group on the local computer to perform the following procedure, or you must be delegated the appropriate authority. As a security best practice, logon to your computer using an account that is not in the Administrators group, and then use the Windows Run as command to run the Internet Information Services Manager as an administrator.
1 Open a Windows Command Prompt, and then type this command:
runas /user:<administrative_accountname> "mmc %systemroot%\system32\inetsrv\iis.msc"
Where <administrative_accountname> is the account name for someone with administrative authority to the workstation.
2 In Internet Information Services Manager, expand the local computer, expand Web Sites, right-click Default Web Site, and then select Properties.
3 Click the Custom Errors tab.
4 In the Error Messages for HTTP Errors list, select the HTTP error 403;14, and then click Edit Properties.
5 Select URL from the Message Type list box.
6 Enter the following in the URL field:/spssmr/shared/404-custom.asp.
7 Click OK, and then click OK again.
8 Exit the Internet Information Services Manager.
9 Open the Windows Registry Editor (type regedit in a Windows Command Prompt), and then navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
10 Create a new DWORD value named IgnoreAppPoolForCustomErrors and give it a value of 1.
11 Open a Windows Command Prompt, and then type:
iisreset
See