Solved

Ways to scan an IIS if 'directory browsing' has been disabled

Posted on 2016-10-26
3
161 Views
Last Modified: 2016-11-06
We have a finding from an external PT scan tt one website (IIS 7.0) has
directory browsing enabled & a few folders were listable.

Now that we've applied the fix below, I need a safe & easy way to
rescan without initiating the external PT scan (which I need a CR):
https://technet.microsoft.com/en-us/library/cc731109(v=ws.10).aspx

Do I need to get the ISP to whitelist my source IP for this 'stripped down'
scan for directory browsing?

The full external PT tests for many items.  If there's an online site that
allow me to do just this (without scanning for other items) & generate
a decent-looking report, do share,  thanks
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 14

Expert Comment

by:William Fulks
ID: 41861185
What do you mean by PT scan?
0
 

Author Comment

by:sunhux
ID: 41861525
PT = Penetration Test
and the PT our vendor uses includes a full suite of items that it scan.

I just want to check/scan for the specific IIS listable/browseable folders  is still there
without going thru the full suite
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41861775
Do you have access to the server OS via RDP or something similar or have you just hosted your site with a shared host provider?

If you have access, the process of checking is trivial and can be done with a PowerShell module called Carbon.

Link:  http://get-carbon.org/Enable-IisDirectoryBrowsing.html

If you are in a shared hosting situation and do not have access to the host OS, you are short on options.  You would need to use a http site scanner to crawl and scrape your site and then you would have to review the scraped output for directory browsing enabled structures.  Most providers that I have used, do not whitelist IP for pen testing.  It would be better to work with your provider to ensure that this feature is disabled.  Maybe asking for a regular site configuration report (relatively easy with PowerShell) and reviewing the settings to check for changes (authorized or not).

Dan
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question