Is it possible to have IIS (6 or 7.5) return a
404 Not Found (instead of
403 Forbidden) when a disallowed directory listing is requested?
A security scanning service I use thinks the 403 is revealing something "potentially sensitive", when in fact it's just not a valid URL. My workaround is to drop a
default.aspx into each directory that returns an empty 404 page, but there has to be a better way…