asp.net - Disable Directory Listing in IIS

Question

In my web application all the .aspx pages resides in Pages directory. The project structure is shown below:

The Home.aspx is set as Start Page and the Web.config file of the Pages folder contains:

<configuration>
<location path="Secured">
    <system.web>
    <authorization>     
        <deny users="?"/>
        <allow users="*"/>
    </authorization>
    </system.web>
</location>
</configuration>

And the main Web.config has:

<authentication mode="Forms">
  <forms loginUrl="~/Pages/Login.aspx" timeout="2880" defaultUrl="~/Pages/Secured/Home.aspx" />
</authentication>

So when the application launches it redirects to the Login page with the URL:

http://localhost:2453/Pages/Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx

Now if I delete the

Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx

from that URL and press enter it is taking me to the Directory Listing:

What I want that it will again send me to the Login page located at

http://localhost:2453/Pages/Login.aspx

How can I achieve this? Your help be appreciated.

Thanks.

The localhost:

Answer 1

You need to disable directory browsing from IIS or from the web.config

<configuration>
  <location path="Secured">
    <system.webServer>
      <directoryBrowse enabled="false" />
    </system.webServer>
  </location>
</configuration>

this entry above applies to IIS 7+, for IIS 6 you'll have to do it from IIS Manager