Solved

Ways to scan an IIS if 'directory browsing' has been disabled

Posted on 2016-10-26
3
187 Views
Last Modified: 2016-11-06
We have a finding from an external PT scan tt one website (IIS 7.0) has
directory browsing enabled & a few folders were listable.

Now that we've applied the fix below, I need a safe & easy way to
rescan without initiating the external PT scan (which I need a CR):
https://technet.microsoft.com/en-us/library/cc731109(v=ws.10).aspx

Do I need to get the ISP to whitelist my source IP for this 'stripped down'
scan for directory browsing?

The full external PT tests for many items.  If there's an online site that
allow me to do just this (without scanning for other items) & generate
a decent-looking report, do share,  thanks
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 15

Expert Comment

by:William Fulks
ID: 41861185
What do you mean by PT scan?
0
 

Author Comment

by:sunhux
ID: 41861525
PT = Penetration Test
and the PT our vendor uses includes a full suite of items that it scan.

I just want to check/scan for the specific IIS listable/browseable folders  is still there
without going thru the full suite
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41861775
Do you have access to the server OS via RDP or something similar or have you just hosted your site with a shared host provider?

If you have access, the process of checking is trivial and can be done with a PowerShell module called Carbon.

Link:  http://get-carbon.org/Enable-IisDirectoryBrowsing.html

If you are in a shared hosting situation and do not have access to the host OS, you are short on options.  You would need to use a http site scanner to crawl and scrape your site and then you would have to review the scraped output for directory browsing enabled structures.  Most providers that I have used, do not whitelist IP for pen testing.  It would be better to work with your provider to ensure that this feature is disabled.  Maybe asking for a regular site configuration report (relatively easy with PowerShell) and reviewing the settings to check for changes (authorized or not).

Dan
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question