Make sure that the short file name does not allowed on server. You ca do do by edit the registry. Search regedit in windows server- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Find key NtfsDisable8dot3NameCreation and double click to set the value to 1. This will prohibit hacker to directory traversal with short file name.
Then take the following steps,
Open IIS- Double click request filtering.
2. Add deny sequence(eg. Tilde, backslash etc) for the url
3. Now again go to the error pages- double click
4. For the error code click edit feature code and then check custom error pages instead of detail error page and select the custom error page location.