WebDAV Redirector

Applies To: Windows Server 2003 with SP1

What does WebDAV Redirector do?

The WebDAV Redirector (DAVRdr) allows computers running Windows Server 2003 to use WebDAV (Web-based Distributed Authoring and Versioning) servers, such as Windows SharePoint Services and MSN Communities, as if they were standard file servers. It consists of a kernel component that connects to a Windows NT remote file system stack, and a user-level component (Web client service) that translates file system requests into WebDAV requests.

Who does this feature apply to?

This feature is used by people who access WebDAV servers through the remote file system. WebDAV Redirector is implemented in the remote file system stack. Client administrators, and users who are concerned with the security of their computer credentials, need to be aware of this change if they access remote files on a WebDAV server using a Universal Naming Convention (UNC) path, for example, a file request such as \\ServerName\ShareName\File.txt will be processed by WebDAV Redirector and will be affected by this change in functionality.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

Disabling Basic Authentication over a clear channel

Detailed description

WebDAV is an extension of Hypertext Transfer Protocol (HTTP), and as such includes the use of Basic Authentication (BasicAuth). BasicAuth is one form of user authentication, or means by which a user is identified to the server. With BasicAuth, the client transmits the user’s credentials (user name and password) to the server. If the channel is unencrypted, such as with normal HTTP traffic, any computer on the network can see the user’s user name and password and therefore steal their identity. The DAVRdr does not support encrypted HTTP (HTTPS or SSL), and will transmit the user’s credentials in the clear (without encryption) if the server supports basic authentication. Although a server most likely would not be configured to use basic authentication, it would be possible to set up the server expressly to obtain users’ credentials.

Because of this possibility, Windows Server 2003 Service Pack 1 (SP1) includes the ability to enable or disable the use of BasicAuth by the DAVRdr. By default, use of BasicAuth is disabled with SP1. When BasicAuth is disabled, the client will either use a different authentication method (if the server supports one) or fail the request.

Why is this change important?

Users can log on to WebDAV servers for remote file access without fear of transmitting their password in the clear.

What threats does it help mitigate?

Imagine a corporate user at Contoso Corporation who routinely accesses the file share \\Contoso_Server\Sales outside the corporation on a public network, and uses an application that attempts to access that share as part of normal background activity. Since the user’s portable computer is outside the corporate network, the request should fail. However, the DAVRdr will transmit a request to see if there is a DAV server named Contoso_Server, even though the actual server that the portable computer is attempting to access is an SMB server.

An attacker can be operating on that same public network with a computer that spoofs WINS requests, returning a pointer to itself in response to any WINS request. The portable computer will then try to access a DAV share on that rogue server. If the rogue server responds with BasicAuth as the authentication method, a dialog box appears that asks for the user’s credentials. The dialog box identifies the server as Contoso_Server, leading the user to believe the request is legitimate. If the user enters their user name and password, the client transmits that information in the clear and the attacker thus gains access to that user’s login information. There is no indication to the user that the channel is not secure, that the request is being handled by the DAVRdr, or that the portable computer will transmit the user name and password in the clear. Note that the current default Windows authentication methods never transmit a user’s password in the clear.

What works differently?

Since the change to default behavior only affects the DAVRdr, the only scenarios that fail to work are those that require basic authentication, and that use the DAVRdr. An example is using Notepad.exe to access a Web site that only allows BasicAuth. This scenario will no longer work. Also, even if the server was configured to only use basic authentication, other applications such as Microsoft Office will continue to work, since they use a different DAV client.

How do I resolve these issues?

You can enable BasicAuth by adding the following registry key and setting it to a non-zero value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \WebClient\Parameters\UseBasicAuth (DWORD)

If you delete the registry key or set it to 0, the behavior reverts to the default, or disabling the use of BasicAuth.

WinINet: Disabling Basic Authentication over a clear channel

Detailed description

Because the DAVRdr is part of the remote file system stack, a computer is open to attack whenever an attempt is made to remotely access files. Although the threat to other applications that use the Internet APIs is less severe than it is for the DAVRdr, a similar attack is possible whenever an application (or the user) attempts to access a URL. For this reason, WinINet is exposing the mechanism by which the DAVRdr disables BasicAuth to other users of the Internet APIs.

There are two ways to block the use of Basic Authentication over clear (or unencrypted) channels:

  • Create the following registry key and set it to a non-zero value.

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion\ Internet Settings\DisableBasicOverClearChannel (DWORD)

    This prevents WinINet from attempting to use BasicAuth unless the channel is secured (using HTTPS or SSL).

  • The application can disable the use of BasicAuth for its connections by setting the AUTH_FLAG_DISABLE_BASIC_CLEARCHANNEL flag (0x4) in the value supplied in the call to InternetSetOption using INTERNET_OPTION_AUTH_FLAGS.

Why is this change important?

Users can log on to WebDAV servers for remote file access without fear of transmitting their password in the clear.

What threats does it help mitigate?

Imagine a corporate user who routinely accesses the Web site https://www.contoso.com/sales. While outside the corporation on a public network, the user attempts to access that site using Internet Explorer. Since the laptop is outside the corporation, the request should fail with a "Server not found" message. An attacker can run on that same public network with a computer that spoofs WINS requests, returning a pointer to itself in response to any WINS lookup. The laptop will then try to send the HTTP request to load the page from the rogue server. If the rogue server responds with BasicAuth as the authentication method, the laptop responds to the user, asking for his or her credentials. It identifies the site https://www.contoso.com/sales, leading the user to believe the request is legitimate. If the user enters his or her user name and password, the client will transmit that information in the clear, and the attacker thus gains access to that user’s login information. In particular, there is no indication to the user that the channel is insecure, or that the laptop will transmit the user name and password in the clear.

What works differently?

By default, there is no change in behavior for WinINet applications (except for the DAVRdr as noted above). If this setting is disabled, the user is unable to connect to HTTP servers that only support Basic Authentication.

What settings are added or changed in Windows Server 2003 Service Pack 1?

WebDAV Redirector Settings

Setting name Location Previous default value (if applicable) Default values Possible values

UseBasicAuth

HKEY_LOCAL_MACHINE\System \CurrentControlSet \Services \WebClient \Parameters \UseBasicAuth

Not applicable.

Key doesn’t exist.

(BasicAuth disabled for DAVRdr)

0, non-zero

DisableBasicOverClearChannel

HKCU\SOFTWARE \Microsoft \Windows \CurrentVersion \Internet Settings \DisableBasicOverClearChannel

Not applicable.

Key doesn’t exist. (BasicAuth enabled for everything else)

0, non-zero

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

No changes are necessary. Developers who write applications that use the Internet APIs and want to disable BasicAuth, such as the DAVRdr, can add a call to InternetSetOptions().