Disable Directory Listing in IIS

Tapas Bose picture Tapas Bose · Mar 21, 2012 · Viewed 26.4k times · Source

In my web application all the .aspx pages resides in Pages directory. The project structure is shown below:

enter image description here

The Home.aspx is set as Start Page and the Web.config file of the Pages folder contains:

<configuration>
<location path="Secured">
    <system.web>
    <authorization>     
        <deny users="?"/>
        <allow users="*"/>
    </authorization>
    </system.web>
</location>
</configuration>

And the main Web.config has:

<authentication mode="Forms">
  <forms loginUrl="~/Pages/Login.aspx" timeout="2880" defaultUrl="~/Pages/Secured/Home.aspx" />
</authentication>

So when the application launches it redirects to the Login page with the URL:

http://localhost:2453/Pages/Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx

Now if I delete the

Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx

from that URL and press enter it is taking me to the Directory Listing:

enter image description here

What I want that it will again send me to the Login page located at

http://localhost:2453/Pages/Login.aspx

How can I achieve this? Your help be appreciated.

Thanks.

The localhost: enter image description here

Answer

scartag picture scartag · Mar 21, 2012

You need to disable directory browsing from IIS or from the web.config

<configuration>
  <location path="Secured">
    <system.webServer>
      <directoryBrowse enabled="false" />
    </system.webServer>
  </location>
</configuration>

this entry above applies to IIS 7+, for IIS 6 you'll have to do it from IIS Manager