STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft IIS 10.0 Server Security Technical Implementation Guide

V-218808

CAT II (Medium)

Directory Browsing on the IIS 10.0 web server must be disabled.

Rule ID

SV-218808r961158_rule

STIG

Microsoft IIS 10.0 Server Security Technical Implementation Guide

Version

V3R7

CCIs

CCI-001310

Discussion

Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing the contents of the directory. If directory browsing is enabled, the risk of inadvertently disclosing sensitive content is increased.

Check Content

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the "Directory Browsing" icon.

Under the “Actions” pane verify "Directory Browsing" is disabled.

If “Directory Browsing” is not disabled, this is a finding.

Fix Text

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the "Directory Browsing" icon.

Under the "Actions" pane click "Disabled".

Under the "Actions" pane, click "Apply".