The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.
1. Open the Internet Information Services Manager. 2. Right click on the web site for review > Select properties > Select the Documents tab. 3. Ensure the check box Enable default content page is checked and one file name is present. 4. Navigate to the home directory and virtual directories for the site being reviewed and verify the presence of the file(s) named in step 3.
If the Enable default content page is not checked or at least one file name is not present, this is a finding. If the file does not exist, this is a finding.
NOTE: If the site has directory browsing disabled for the site or virtual directory, this would not be a finding if a default page does not exist.
Fix Text (F-32649r1_fix)
Add a default document to the applicable directories or disable directory browsing.