Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Ways to scan an IIS if 'directory browsing' has been disabled

Posted on 2016-10-26
3
Medium Priority
?
212 Views
Last Modified: 2016-11-06
We have a finding from an external PT scan tt one website (IIS 7.0) has
directory browsing enabled & a few folders were listable.

Now that we've applied the fix below, I need a safe & easy way to
rescan without initiating the external PT scan (which I need a CR):
https://technet.microsoft.com/en-us/library/cc731109(v=ws.10).aspx

Do I need to get the ISP to whitelist my source IP for this 'stripped down'
scan for directory browsing?

The full external PT tests for many items.  If there's an online site that
allow me to do just this (without scanning for other items) & generate
a decent-looking report, do share,  thanks
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 15

Expert Comment

by:William Fulks
ID: 41861185
What do you mean by PT scan?
0
 

Author Comment

by:sunhux
ID: 41861525
PT = Penetration Test
and the PT our vendor uses includes a full suite of items that it scan.

I just want to check/scan for the specific IIS listable/browseable folders  is still there
without going thru the full suite
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 41861775
Do you have access to the server OS via RDP or something similar or have you just hosted your site with a shared host provider?

If you have access, the process of checking is trivial and can be done with a PowerShell module called Carbon.

Link:  http://get-carbon.org/Enable-IisDirectoryBrowsing.html

If you are in a shared hosting situation and do not have access to the host OS, you are short on options.  You would need to use a http site scanner to crawl and scrape your site and then you would have to review the scraped output for directory browsing enabled structures.  Most providers that I have used, do not whitelist IP for pen testing.  It would be better to work with your provider to ensure that this feature is disabled.  Maybe asking for a regular site configuration report (relatively easy with PowerShell) and reviewing the settings to check for changes (authorized or not).

Dan
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question