How to restrict Users from accessing Default IIS page and Virtual Directory

By | March 29, 2013

Sage CRM being a web-based application requires a web server in order to function properly. The Primary role of this web server is to help store, process and deliver web pages as and when required to the users by means of HTTP. Now since Sage CRM is reliant on web server, IIS is one of the major pre-requisite and must be installed and configured prior to attempting CRM installation. But, have you ever focussed on securing access to the IIS server?

Read More: How can Greytrix help in Sage CRM and Sage ERP integration?

Once you host any web applications or web services on IIS; your applications or other IIS directories are prone to data hack security concerns. By default, when you create a new IIS website it’s typically open to everyone which simply means anyone can access and view the data being hosted by that site. Obviously, this is a security concern for most people and because of vulnerability, a malicious user can gain access to the web root directory, and then escalate his permissions and gain access to the whole drive where the web root is. 

Just by the mere access of browsing the default URL of IIS directory, the default IIS page opens up i.e. with the help of http://<Server Name>/. We eventually end up giving unnecessary access to server virtual directory. After that, it is very easy to hack other applications or web services hosted on that particular server which end up disclosing database server access.


Default Wesite of IIS

Default Wesite of IIS

In order to restrict a user from accessing the directory and this default page, below are the steps to be followed

  1. In Run, type “inetmgr”. This will open IIS.
  2. Go to Sites | Default Web Site and select Default Document property.
IIS - Default Web Site Options
IIS – Default Web Site Options

3. Double click on Default Document property. This will open Default document pages.

IIS - Default Document property
IIS – Default Document property

4. Right click on Default.htm page and click on disable.
5. Execute IIRESET.

After following the above steps, when we access the above URL error message will be displayed as follows –


IIS Default Web Site Forbidden

IIS Default Web Site Forbidden

The most common reason for HTTP Error 403 is mistyped URL. Thus, in order to gain access to an application it is necessary to browse correct URL for a web page or file and not just the directory. A regular URL would end in .com, .php, .org, .html, or just have an extension, while a directory URL would usually end with a “/”.

In this way, you can make the configurations on servers to disallow directory browsing for security reasons.

About Us

Greytrix – a globally recognized and one of the oldest Sage Development Partner is a one-stop solution provider for Sage ERP and Sage CRM organizational needs. Being acknowledged and rewarded for multi-man years of experience and expertise, we bring complete end-to-end assistance for your technical consultations, product customizations, data migration, system integrations, third party add-on development and implementation competence.

Greytrix has some unique integration solutions developed for Sage CRM with Sage ERPs namely Sage X3Sage IntacctSage 100Sage 500 and Sage 300. We also offer best-in-class Sage ERP and Sage CRM customization and development services to Business Partners, End Users and Sage PSG worldwide. Greytrix helps in migration of Sage CRM from Salesforce | ACT! | SalesLogix | Goldmine | Sugar CRM | Maximizer. Our Sage CRM Product Suite includes addons like  Greytrix Business ManagerSage CRM Project ManagerSage CRM Resource PlannerSage CRM Contract ManagerSage CRM Event ManagerSage CRM Budget PlannerGmail IntegrationSage CRM Mobile Service Signature and Sage CRM CTI Framework.

Greytrix is a recognized Sage Champion ISV Partner for GUMU™ Sage X3 – Sage CRM integration also listed on Sage Marketplace.

For more information on our integration solutions, please contact us at sage@greytrix.com. We will be glad to assist you.