1

Is it possible to have IIS (6 or 7.5) return a 404 Not Found (instead of 403 Forbidden) when a disallowed directory listing is requested?

A security scanning service I use thinks the 403 is revealing something "potentially sensitive", when in fact it's just not a valid URL. My workaround is to drop a default.aspx into each directory that returns an empty 404 page, but there has to be a better way...

dahlbyk
  • 111
  • 1
  • 5

1 Answers1

2

Sure. Configure a custom error message for 403.14 to run a simple ASP page that returns a 404 response code. 403.14 is the Status and subcode used for 'Directory listing denied'.

David Dietz
  • 186
  • 1