STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft IIS 10.0 Site Security Technical Implementation Guide

V-218759

CAT II (Medium)

Directory Browsing on the IIS 10.0 website must be disabled.

Rule ID

SV-218759r961158_rule

STIG

Microsoft IIS 10.0 Site Security Technical Implementation Guide

Version

V2R15

CCIs

CCI-001310

Discussion

Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing the contents of the directory. If directory browsing is enabled the risk of inadvertently disclosing sensitive content is increased.

Check Content

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Click the Site.

Double-click the "Directory Browsing" icon.

If "Directory Browsing" is not installed, this is Not Applicable.

Under the "Actions" pane, verify "Directory Browsing" is "Disabled".

If "Directory Browsing" is not "Disabled", this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the Site.

Double-click the "Directory Browsing" icon.

Under the "Actions" pane, click "Disabled".