Ensure ‘directory browsing’ is set to disabled

Best practice for systems running IIS, part of Hardening IIS:

Manual verification

Perform the following to verify that Directory Browsing has been disabled at the server
level:

%systemroot%\system32\inetsrv\appcmd list config /section:directoryBrowse

Recommended configuration

<system.webServer>
 <directoryBrowse enabled="false" />
<system.webServer>

Nessus audit file checks

<if>
<condition type:"AND"> 
<custom_item>
 type : AUDIT_POWERSHELL
 description: "IISPS:Check if PS Webadministration is available:IIS8"
 value_type : POLICY_TEXT
 value_data : "Powershell Webadministration is available"
 powershell_args: 'if($(get-module -listavailable Webadministration -Erroraction SilentlyContinue) -eq $Null){write-host "Powershell Webadministration is not available" } else {write-host "Powershell Webadministration is available" }'
</custom_item>
</condition>
<then>
<custom_item>
 type: AUDIT_POWERSHELL
 description: "IIS800015:Disable Directory Browsing (PS):IIS8"
 value_type: POLICY_TEXT
 value_data: ""
 powershell_args: 'import-module Webadministration -DisableNameChecking; get-webconfiguration -filter /system.webserver/directoryBrowse | 
 where {$_.enabled -eq \\"true\\" } ' 
 powershell_option: CAN_BE_NULL
</custom_item> 
</then>
<else>
<custom_item>
 type : AUDIT_IIS_APPCMD
 description: "IIS800015:Disable Directory Browsing:IIS8"
 reference : "Level|1S"
 value_type : POLICY_TEXT
 value_data : "false"
 appcmd_args: "list config /section:directoryBrowse /text:enabled"
 check_type : CHECK_REGEX
</custom_item>
 
<custom_item>
 type : AUDIT_IIS_APPCMD
 description: "IIS800015:Disable Directory Browsing (APPCMD):IIS8"
 reference : "Level|1S"
 value_type : POLICY_TEXT
 value_data : "false"
 appcmd_args: "list config /section:directoryBrowse /text:enabled"
 check_type : CHECK_REGEX
</custom_item>
</else>
</if>