Working Without a Default Document
Using a default document
is usually a good idea because it enables users to access your site
without knowing the name of any file. However, for security reasons, you
might want to allow access to the site only to users who know a
specific filename on the site (for example, through a URL that you’ve
provided). In that case, you have two choices:
Here are the steps to follow to disable default documents for your website:
1. | Open IIS Manager.
|
2. | Open the Computer, Sites branch (where Computer is the name of the computer running IIS).
|
3. | Select Default Web Site.
|
4. | Click Features View.
|
5. | Double-click the Default Document icon to display the Default Document page.
|
6. | In the Actions pane, click Disable. IIS Manager disables the default documents.
|
7. | Click the Back button to return to the website’s main page in IIS Manager.
|
At this point, you may
still have a security risk because it’s possible that any anonymous user
who surfs to the site without specifying a filename will see a listing
of all the files and subfolders in the website’s home folders! An
example is shown in Figure 3.
Note
In the directory listing shown in Figure 3, you see a file named web.config.
This is a file created by IIS Manager to store some of the settings
you’ve been working with so far, including the name and order the
default documents and whether default documents are enabled.
This is called directory browsing, and it’s normally disabled in IIS 7.5, but just to make sure, follow these steps:
1. | Open IIS Manager.
|
2. | Open the Computer, Sites branch (where Computer is the name of the computer running IIS).
|
3. | Select Default Web Site.
|
4. | Click Features View.
|
5. | Double-click the Directory Browsing icon to display the Directory Browsing page.
|
6. | In the Actions pane, look for the message Directory browsing has been disabled, as shown in Figure 4. If you see the message, skip to step 8.
|
7. | If
you do not see the message, click the Disable link to disable directory
browsing. IIS Manager disables directory browsing for the site.
|
8. | Click the Back button to return to the website’s main page in IIS Manager.
|
Now when an anonymous
user surfs to your website without specifying a filename (and assuming
you still have default documents disabled), that person sees the error
message shown in Figure 5.