IIS 403 Error — Forbidden Access Denied

WebServerErrors IIS Reconnaissance / Access Violation

What This Means

Troubleshoot IIS HTTP 403 Forbidden errors. Detect directory listing exposure, IP restriction bypasses, and unauthorized resource access targeting your web server.

Example Log

2026-03-08 15:10:44 W3SVC1 WEB01 10.0.1.50 GET /secret/config.xml - 443 - 203.0.113.55 python-requests/2.28.0 - 403 14 5 312

Indicators of Suspicious Activity

403 errors with sub-status 14 (directory listing denied) from scanning tools
Repeated 403 responses targeting sensitive file extensions (.config, .xml, .env, .bak)
User-Agent strings indicating automated scanning (python-requests, sqlmap, nikto)
403 errors originating from IP addresses that also generate 404 and 401 errors
Attempts to access known sensitive paths (/web.config, /app_data, /bin)
High-frequency 403 requests from a single IP within minutes

How to Investigate

Group 403 errors by client IP and URI to identify scanning patterns
Check the 403 sub-status code for the specific denial reason
Review if any 403-targeted paths contain sensitive data that should be further restricted
Correlate with 200 responses from the same IP to see what they successfully accessed
Verify that directory browsing is disabled on all IIS sites
Check IP restriction rules for misconfigurations

Recommended Mitigations

Ensure directory browsing is disabled in IIS site configuration
Add request filtering rules to block access to sensitive file extensions
Deploy a WAF to detect and block automated scanning tools
Implement IP restriction for admin and sensitive directories
Return generic error pages that do not reveal server technology
Configure URL Rewrite rules to block common vulnerability scanner paths

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 6 + 7?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What causes IIS 403 errors? ▼

IIS returns 403 when the server understood the request but refuses to authorize it. Common causes include disabled directory browsing, IP restrictions, SSL requirements, request filtering rules, and NTFS permission denials.

What do IIS 403 sub-status codes mean? ▼

Key sub-status codes: 403.1 (execute access forbidden), 403.4 (SSL required), 403.6 (IP address rejected), 403.14 (directory listing denied), 403.16 (client certificate untrusted).

How do I block vulnerability scanners in IIS? ▼

Use Request Filtering to deny suspicious User-Agent strings, block requests for non-existent file extensions, and implement rate limiting via a WAF or IIS module like Dynamic IP Restrictions.