We have built a web application using ASP.Net MVC3 and SQL Server 2008 which has features like credit card payment, etc. We engaged a 3rd party to perform vulnerability assessment and penetration testing. We got a good report with few security issues. We have fixed all the issues except one. In that report it says that our application reveals web directories such as 'Admin/Contact/Details' '/Areas/Admin/Styles/'. It is not major issue. But our management want to fix that too ... Any ideas to solve it correctly and quickly. Appreciate if someone can shed some light on this.