Iis – Replace IIS 403 with 404 for Directory Listing


Is it possible to have IIS (6 or 7.5) return a 404 Not Found (instead of 403 Forbidden) when a disallowed directory listing is requested?

A security scanning service I use thinks the 403 is revealing something "potentially sensitive", when in fact it's just not a valid URL. My workaround is to drop a default.aspx into each directory that returns an empty 404 page, but there has to be a better way…

Best Answer

Sure. Configure a custom error message for 403.14 to run a simple ASP page that returns a 404 response code. 403.14 is the Status and subcode used for 'Directory listing denied'.