Preventing Web-based Directory Enumeration Attacks Against IIS

I received an interesting tip from Munish about how to prevent directories from being easily identified in IIS.  I’ve updated my original post about directory enumeration with the following info:

Setting the “Hidden” Attribute to Hide Files in IIS

Hiding directories in IIS seems to be as easy as setting the “hidden” attribute:

cd c:\Inetpub\wwwroot
attrib +h myprivatedirectory

Now when an attacker browses to http://yoursite/myprivatedirectory they will get a 404 “Not Found” message instead of a 403 “Directory Listing Denied”.  However, files inside the directory are still accessible (e.g. http://yoursite/myprivatedirectory/somefile.htm).  This is a simple way to defeat directory enumeration attacks from tools such as http-dir-enum and DirBuster.


Leave a Reply