It is highly recommended to disable Directory Browsing in IIS for websites on live servers, at least for the CMSSiteUtils directory. If enabled, sensitive data from site export/import packages, such as user credentials, can be accessed directly from the browser.
Directory Browsing is disabled by default.
Note: To protect the CMSSiteUtils folder from enumeration attacks, disabling directory browsing is not enough. You also have to forbid access to the folder in the web.config file. See Enumeration for more security information.