How to remediate – Microsoft IIS Default Index Page

Contents

1. Introduction

The Microsoft IIS Default Index Page vulnerability means a web server is using its standard, pre-configured welcome page. This page can reveal information about the server’s root directory and installation paths. A remote attacker could use this to gather details for further attacks. Confidentiality may be impacted through information disclosure.

2. Technical Explanation

The vulnerability occurs because the default IIS index page is not removed or replaced during server setup. An unauthenticated attacker can simply request the default page via HTTP(S) to view potentially sensitive data. The Common Weakness Enumeration (CWE) for this issue is 200, Improper Input Validation. For example, an attacker could access `http://example.com/` and see the IIS welcome screen which may contain server paths.

Exploit mechanism: An attacker sends a simple HTTP request to the web server’s root directory.
Scope: Microsoft Internet Information Services (IIS) on Windows Server operating systems.

3. Detection and Assessment

You can check for this vulnerability by browsing to the website’s root URL in a web browser. A more thorough method is to use a web application scanner.

Quick checks: Open a web browser and navigate to `http:///`. If the default IIS page appears, the server is likely vulnerable.
Scanning: Nessus plugin ID 32875 or OpenVAS scan config ‘IIS Default Files’ may detect this issue (example only).
Logs and evidence: Check web server logs for requests to the root directory (`/`) from external sources.

curl -I http://example.com/

4. Solution / Remediation Steps

The solution is to remove or replace the default IIS index page with a custom one.

4.1 Preparation

Ensure you have access to the IIS Manager console. A roll back plan is to restore the backup.
A change window may be needed depending on business impact. Approval from a system owner might be necessary.

4.2 Implementation

Step 1: Open IIS Manager.
Step 2: Expand the server node and select your website.
Step 3: In the Features View, double-click “Default Document”.
Step 4: Select “index.html” or similar default page file.
Step 5: Click “Remove” in the Actions pane.
Step 6: Add a custom index page (e.g., `home.html`) if one exists, otherwise create one and add it to the list.

4.3 Config or Code Example

Before

index.htm  (listed in Default Document feature)

After

home.html (or your custom index page, listed in Default Document feature)

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

Practice 1: Secure defaults – always change default configurations.
Practice 2: Regular configuration reviews – check for unnecessary files or settings.

4.5 Automation (Optional)

PowerShell can be used to modify the IIS Default Document feature.

# Example PowerShell script (use with caution)
Import-Module WebAdministration
$siteName = "YourWebsiteName"
Remove-WebConfigurationProperty -Filter system.webServer/defaultDocument -PSPath 'IIS:Sites$siteName' -Name '.htm'
Add-WebConfigurationProperty -Filter system.webServer/defaultDocument -PSPath 'IIS:Sites$siteName' -Name '.html' -Value "home.html"

5. Verification / Validation

Confirm the fix by browsing to the website root and verifying that your custom index page is displayed.

Post-fix check: Open a web browser and navigate to `http:///`. The expected output should be your custom home page.
Re-test: Repeat the quick check from Section 3. The default IIS page should no longer appear.
Monitoring: Check web server logs for any errors related to the new index page (example only).

curl -I http://example.com/

6. Preventive Measures and Monitoring

Update security baselines and consider adding checks in your deployment pipeline.

Baselines: Update a CIS benchmark or internal policy to require custom index pages for IIS websites.
Pipelines: Add a check in CI/CD pipelines to verify that default files are removed during deployment.
Asset and patch process: Review server configurations regularly as part of your asset management process.

7. Risks, Side Effects, and Roll Back

Changing the index page could cause issues if the new page is not configured correctly.

Risk or side effect 1: Incorrectly configuring the index page may result in a 404 error.
Risk or side effect 2: Changes to IIS configuration can sometimes impact other website features.
Roll back: Restore the backup of your website content from Section 4.1. Re-add the default index page if necessary.

8. References and Resources

Links to relevant resources.

Vendor advisory or bulletin: https://www.owasp.org/index.php/SCG_WS_IIS
NVD or CVE entry: No specific CVE is associated with this issue, as it’s a configuration problem.
Product or platform documentation relevant to the fix: https://learn.microsoft.com/en-us/iis/configuration/system-webserver/defaultDocument

Updated on December 27, 2025

Was this article helpful?

Yes No