Solved

Ways to scan an IIS if 'directory browsing' has been disabled

Posted on 2016-10-26
3
115 Views
Last Modified: 2016-11-06
We have a finding from an external PT scan tt one website (IIS 7.0) has
directory browsing enabled & a few folders were listable.

Now that we've applied the fix below, I need a safe & easy way to
rescan without initiating the external PT scan (which I need a CR):
https://technet.microsoft.com/en-us/library/cc731109(v=ws.10).aspx

Do I need to get the ISP to whitelist my source IP for this 'stripped down'
scan for directory browsing?

The full external PT tests for many items.  If there's an online site that
allow me to do just this (without scanning for other items) & generate
a decent-looking report, do share,  thanks
0
Comment
Question by:sunhux
3 Comments
 
LVL 14

Expert Comment

by:William Fulks
ID: 41861185
What do you mean by PT scan?
0
 

Author Comment

by:sunhux
ID: 41861525
PT = Penetration Test
and the PT our vendor uses includes a full suite of items that it scan.

I just want to check/scan for the specific IIS listable/browseable folders  is still there
without going thru the full suite
0
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41861775
Do you have access to the server OS via RDP or something similar or have you just hosted your site with a shared host provider?

If you have access, the process of checking is trivial and can be done with a PowerShell module called Carbon.

Link:  http://get-carbon.org/Enable-IisDirectoryBrowsing.html

If you are in a shared hosting situation and do not have access to the host OS, you are short on options.  You would need to use a http site scanner to crawl and scrape your site and then you would have to review the scraped output for directory browsing enabled structures.  Most providers that I have used, do not whitelist IP for pen testing.  It would be better to work with your provider to ensure that this feature is disabled.  Maybe asking for a regular site configuration report (relatively easy with PowerShell) and reviewing the settings to check for changes (authorized or not).

Dan
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question