# Solved: Preventing a directory listing



## smooth (Sep 26, 2005)

Hello again,

How do you stop your site from having a directory listing in a folder?

For example, my images folder, how can I protect it from someone typing in:

http://www.mysite.com/images

And then them shown a directory of my images folder? I am pretty sure there is a way of doing this.

Any ideas?


----------



## Sequal7 (Apr 15, 2001)

Depends on your host type how to protect directories. 
Who and what is your host and if you have a hosting provider, what type of Control panel do they use?


----------



## smooth (Sep 26, 2005)

Our host is 1and1, and you can see the admin login page here.

I'm not sure exactly what type of panel it is, maybe CPanel?

We are under the Microsoft Developer package.


----------



## Squashman (Apr 4, 2003)

Just put an index.html file in the directory and have it redirect to the main web page. If you were running on an apache server you could also use an .htaccess file but we already know you are using IIS.


----------



## smooth (Sep 26, 2005)

Yeah, I was afraid I would have to do that. 

I'm thinking I'll have to put that redirect index page in all my folders on the site, because if I type in any of my directories, I get a file list.

Grrr....so using .htaccess is about the only way of doing this, besides the redirect page?


----------



## Squashman (Apr 4, 2003)

Just read up a little bit more on IIS. I don't think Directory Browsing is enabled by default on IIS. They must have turned it on for some reason. I would talk with your webhost and ask them why they have directory browsing enabled. If I were you I would ***** and complain. Most of the Linux apache Web hosting providers I have used always have that turned off and it is easily turned back on by using an htaccess file for the directories you want directory listings for. It will be a real pain in the butt to put an Index file in every directory if you have a very large directory structure.

If I am reading the documentation for IIS correclty, your webhost should be able to turn off Indexing for your website without affecting any other hosts on the server. It should be able to do it on a per website basis.


----------



## Sequal7 (Apr 15, 2001)

Is the problem that you trying to access a page, example index.asp and it is displaying the directory of the sites root?

Or are you trying to simply protect your folders from viewing?

1&1 panel for Windows hosting is easy, they dont use CPanel they have thier own interface.

open webfiles
http://faq.1and1.com/applications/webfiles/2.html
select and set right management on your folder
http://faq.1and1.com/applications/webfiles/3.html

If those dont work, perhaps try the IIS snapin:
Follow direction here to protect your directory
http://faq.1and1.com/web_space__access/protected_directories/4.html


----------



## Squashman (Apr 4, 2003)

Wow, that looks like it solves your password protection problem as well.


----------



## smooth (Sep 26, 2005)

Thanks, I'll call them and make sure to tell them I want them to turn off directory browsing.

No, we already have the protected directory set up, that's why I need to use the ASP thing. Having the protected directory only allows one username, and one password, which everyone would use to log in. We want every one to have there own user name, and own password, so we can delete them if they leave the company, so they can't log in to the company after they leave.


----------



## Squashman (Apr 4, 2003)

What is the new user button for then. Will it not let you create more than one user.


----------



## smooth (Sep 26, 2005)

Wow, didn't see that on there. I'll have to try that out. Not sure if I have that in my package, I'll check it out.


----------



## smooth (Sep 26, 2005)

Oh, the Add button is to add a directory, not a user


----------



## Sequal7 (Apr 15, 2001)

Ok, I am reallly confused by your question now.


> How do you stop your site from having a directory listing in a folder?
> 
> For example, my images folder, how can I protect it from someone typing in:
> 
> ...


If you already have protected directories why are you asking how to protect a directory?


----------



## Squashman (Apr 4, 2003)

smooth246 said:


> Oh, the Add button is to add a directory, not a user


Not talking about the add directory button. There is one above that says New User and there is a box to the right of that for the username.


----------



## Squashman (Apr 4, 2003)

Sequal7 said:


> Ok, I am reallly confused by your question now.
> If you already have protected directories why are you asking how to protect a directory?


He is talking about keeping the server from doing Directory listings. If he doesn't have an index.html file in the directory, it will show all the files in the directory. This is usually turned off by default on most servers. On an apache server it is real easy to turn back on with an .htaccess file but he is on an IIS server.


----------



## smooth (Sep 26, 2005)

Ok, got the directory browsing disabled, by contacting the web host.  

Now, with the Add User button on the protected directory list. I asked the host about that and they said "Basically you can only have one username and password per protected directory. If you add another for that directory it "confuses" the system."


----------



## Sequal7 (Apr 15, 2001)

Glad you got it sorted out.
In the future as a note;
For immediate lockdown, you can set the directory permissions in your hosting control panel as I mentioned earlier. It will perform the same function as turning off browsing in an emergency.
Example, if someone were to enter the url, it would ask for the username and password to access that directory, and of course fail and show a 401 page, not the contents of the directory.

Also, your host is running IIS, so they can easily set the default page to all these files; home,index,default.*asp* as well as home,index,default.*html* and home,index,default.*htm* in the page so that way you can have any of them show the page when the url is typed. 
Ask them to include those and you will limit your problems in the future, especially running out of the box scripts that you may pick up at various sites like hotscripts etc.


----------



## smooth (Sep 26, 2005)

Thanks.  I really appreciate it. I'll definitely give them a call and tell them to set those as default pages as well.


----------



## Squashman (Apr 4, 2003)

smooth246 said:


> Ok, got the directory browsing disabled, by contacting the web host.
> 
> Now, with the Add User button on the protected directory list. I asked the host about that and they said "Basically you can only have one username and password per protected directory. If you add another for that directory it "confuses" the system."


When is Microsoft going to get with the times and Integrate something like .htaccess into IIS so that people who have MS webhosting can easily password protect stuff.


----------



## smooth (Sep 26, 2005)

I agree totally. Hopefully I'll get the ASP script I got to working.


----------

