Securing WebDAV Publishing Directories
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
WebDAV is an extension of the HTTP 1.1 protocol that facilitates file and directory manipulation over an HTTP connection. Through the use of WebDAV verbs, or commands, properties can be added to and read from files and directories. Files and directories can also be remotely created, deleted, moved, or copied. Additional access control can be configured through both Web server permissions and NTFS.
Just as with a standard Web site, you can use the Directory Security tab in the Web Site Properties dialog box to configure WebDAV authentication, Web site access control, and IP address and domain name restrictions, and to enable secure communications. Furthermore, for security reasons and to enable WebDAV custom search properties, your WebDAV publishing directory must reside on an NTFS file system partition. For more information about NTFS partitions, see "Choosing a file system: NTFS, FAT, or FAT32" in Help and Support Center for Windows Server 2003.
Setting the Client Authentication Method
Because WebDAV is an HTTP-based protocol, the same authentication methods are available for your WebDAV publishing directory as for your Web sites. When you create a WebDAV virtual directory, the authentication settings will be set by default to Anonymous authentication and Integrated Windows authentication.
|Change the default authentication settings for your WebDAV site. Anonymous authentication and Integrated Windows authentication are appropriate for Web sites, but not for resources on a WebDAV publishing directory.|
Use the following best practices as guidelines when configuring client authentication for WebDAV. For more information about authentication, see Authentication in IIS 6.0.
Turn off Anonymous authentication to your WebDAV publishing directory. Without controlling access, your directory might be vandalized by unknown clients.
Turn on Basic authentication only if you encrypt passwords through SSL. Basic authentication sends passwords over the connection in plaintext, so passwords can be intercepted and read. For more information about SSL, see Configuring SSL on a Web Server or Web Site.
Turn on Digest authentication if users access your WebDAV publishing directory over the Internet and through firewalls because Digest authentication sends the passwords over the network as an MD5 hash. However, passwords are stored as plaintext in the Active Directory® directory service.
Advanced Digest authentication
Turn on Advanced Digest authentication if users access your WebDAV publishing directory over the Internet and through firewalls. Advanced Digest authentication is the best choice because, in addition to sending passwords over the network as an MD5 hash, the passwords are also stored in Active Directory as an MD5 hash rather than as plaintext.
Integrated Windows authentication
Turn off Integrated Windows authentication unless users access your WebDAV publishing directory only from an intranet.
.NET Passport authentication
Configuring Access Control
You can control access to your WebDAV publishing directory by coordinating permissions in IIS and Windows Server 2003. The following information can help you set the correct permissions depending on what kind of content your WebDAV publishing directory contains and what you want to allow users to do with that content. For step-by-step instructions for setting permissions, see Securing Sites with Web Site Permissions.
Read, Write, Directory browsing enabled
Set these permissions if you want clients to see a list of resources, modify them (except for resources that do not have Write permission), publish their own resources, or manipulate files.
Write enabled; Read and Directory browsing disabled
Set these permissions if you want clients to publish private information on the directory, but you do not want others to see what has been published. This configuration works well if clients are submitting ballots or performance reviews.
Read and Write enabled; Directory browsing disabled
Set these permissions only if you want to obscure file names as a security method. However, be aware that security by obscurity is a low-level security precaution because an attacker or a malicious user can guess file names by trial and error.
Index this resource enabled
Enable Indexing Service if you plan to let clients search directory resources.
You can also control access to your WebDAV publishing directory through discretionary access control lists (DACLs). When you set up a WebDAV publishing directory on an NTFS file system disk, the server running Windows Server 2003 is configured with a secure set of defaults that can be too restrictive for Web publishing. If you change the defaults, assign Write permission only to the specific users or groups that absolutely need Write permission. (Whenever possible, assign permissions to groups rather than users.) By default, the Users group is assigned only Read permission for most portions of the file system.
If you have script files in your WebDAV publishing directory that you do not want users to access, you can deny access to these files by verifying that the Script Source Access permission is not assigned. The extensions of your script files are listed in the Applications Mapping list. All other executable files, including files with .exe extensions, are treated as static HTML files unless the Scripts and Executables permission is assigned to the directory.
You can prevent users from downloading and viewing .exe files as HTML files but still allow clients to run them by assigning the Scripts and Executables permission. To do so, on the Virtual Directory tab of the publishing directory, on the Execute permissions list, click Scripts and Executables. When you assign the Scripts and Executables permission to the directory, all of the executable files are subject to the Script Source Access permission setting. You can assign the Script Source Access permission on the Home Directory tab of the Web Site Properties dialog box of the Web site that you are configuring. When the Script Source Access permission is assigned, clients with Read permission can see all the executables, and clients with Write permission can edit and run all the executables.
If you want clients to be able to write to an executable file that does not appear in the Application Mapping list, assign the Write permission and the Scripts Only Execute permission to the directory.
If you want clients to be able to write to any executable file, regardless of whether it appears in the Application Mapping list, assign the Script Source Access permission and the Scripts and Executables Execute permission to the directory.