Windows 7 : Controlling and Customizing Your Website (part 3) - Working Without a Default Document

3/23/2011 9:31:49 AM

Working Without a Default Document

Using a default document is usually a good idea because it enables users to access your site without knowing the name of any file. However, for security reasons, you might want to allow access to the site only to users who know a specific filename on the site (for example, through a URL that you’ve provided). In that case, you have two choices:

Don’t include a file that uses one of the default document names.
Disable the default documents.

Here are the steps to follow to disable default documents for your website:

1.	Open IIS Manager.
2.	Open the Computer, Sites branch (where Computer is the name of the computer running IIS).
3.	Select Default Web Site.
4.	Click Features View.
5.	Double-click the Default Document icon to display the Default Document page.
6.	In the Actions pane, click Disable. IIS Manager disables the default documents.
7.	Click the Back button to return to the website’s main page in IIS Manager.

At this point, you may still have a security risk because it’s possible that any anonymous user who surfs to the site without specifying a filename will see a listing of all the files and subfolders in the website’s home folders! An example is shown in Figure 3.

Figure 3. If you’ve disabled the default documents but directory browsing is enabled, anonymous users who don’t specify a filename see a listing of the contents of the home folder.

Note

In the directory listing shown in Figure 3, you see a file named web.config. This is a file created by IIS Manager to store some of the settings you’ve been working with so far, including the name and order the default documents and whether default documents are enabled.

This is called directory browsing, and it’s normally disabled in IIS 7.5, but just to make sure, follow these steps:

1.	Open IIS Manager.
2.	Open the Computer, Sites branch (where Computer is the name of the computer running IIS).
3.	Select Default Web Site.
4.	Click Features View.
5.	Double-click the Directory Browsing icon to display the Directory Browsing page.
6.	In the Actions pane, look for the message Directory browsing has been disabled, as shown in Figure 4. If you see the message, skip to step 8. Figure 4. Make sure that your website has directory browsing disabled.
7.	If you do not see the message, click the Disable link to disable directory browsing. IIS Manager disables directory browsing for the site.
8.	Click the Back button to return to the website’s main page in IIS Manager.

Now when an anonymous user surfs to your website without specifying a filename (and assuming you still have default documents disabled), that person sees the error message shown in Figure 5.