Basic Webdav for IIS5 and IIS6

Overview:

Create the webdav user account(s)
Give the user “log on locally permissions”
Enable webdav (IIS6 only)
Create the content folder
Create the website (or virtual directory) with directory browsing and write permissions
Adjust “Security tab” (ntfs) permissions on the content folder
Adjust “Web Sharing tab” settings on the content folder
In website request and process SSL certificate
In virtual directory Set “Require SSL” and set “basic authentication
Test with browser using File > Open > open as webfolder > https://www.fqdn.com/virtdir

Preliminary: If the webserver is a Windows 2000/IIS5 box, I highly recommend that you ensure that the machine is on latest service pack and latest cumulative fixes. This can save from many headaches as there were many functionality and security inclusions particularly in the varous servicepacks for Windows 2000.

Assuming that IIS is not a DC, open Computer Management’s “Local Users and Groups” console and create the desired user account(s) and password.

In this example the user will be named DavUser1

Note: if you’ll be creating several users to do webdav, such as 300 separate webmasters who will be updating their 300 websites using webdav, you’ll probably want to create the 300 accounts and then lump them into a single OU or local group named Webmasters, for example.

Note: if the webserver is a DC you’ll be using domain users rather than local users. The user will need to be created in Active Directory Users and Computers.

Note: I’m assuming here that the vast majority of people will be wanting to guard their webdav site with basic authentication (or perhaps passport authentication or perhaps client certificate authentication) to validate the users who will upload, download, or “dav” their files to and from IIS. If you’d like to use an anonymous webdav site, however, the Iusr account will be used and there is no subsequent need to create user accounts to authenticate.

Give that user account “log on locally” permissions in the Local Security Policy.

Drill into: Start button > Programs > Admin Tools > Local Security Policy > Local Policies > User Rights Assignment > Allow Log on Locally > Add, etc…

NOTE: if this webserver is a DC or has group policies pushed out to it you may have to add this user to the “Allow log on locally” policy from a group policy console rather than the local security policy.

Note: if you created an OU or a local group for webmasters, it would be more sensible here to add the OU/group to this policy rather than adding all 300 webmasters.

(IIS6 only)

Enable webdav.

In IIS6, unlike IIS5, webdav must be enabled in the ISM’s “Web Service Extensions” before Webdav will ever work.

It should be (and probably will be) mapped to c:\windows\system32\inetsrv\httpext.dll

Note: In IIS5 webdav will almost certainly be enabled by default. If there are problems with it working in IIS5, consider KB 241520 to see if someone disabled it in the registry (HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters > Value name: DisableWebDAV / Data type: DWORD / Value data: 1) and re-enable it by removing that key (or by setting its value to 0?). Otherwise check to see if there is a urlscan.ini which is denying webdav verbs. (A third alternative may be with appmappings and a fourth could pertain to ACLs on the httpext.dll? But that’s really getting ahead of ourselves here!) The exception for IIS6 may be that if IIS5 was upgraded to IIS6, webdav will probably be enabled by default.

Create the content folder in Windows Explorer

No need to adjust permissions on it just yet but leave Explorer open because we’ll do that soon.

Create the website (or virtual directory)

During the creation of the website, checkmark “write” if you wish the webdav user to drag and drop files into the webfolder and checkmark “directory browsing.” This is a vital step to making webdav work in iis.

Adjust permissions on the folder

Return to Windows Explorer to begin to adjust permissions on the content folder.

Rightclick the folder you created, select Properties from the grey menu, and select the tab labeled “Security.”

The bottom line is that you’ll want these accounts to have permissions over the content folder:

Administrators – full control
System – full control
DavUser1 – Modify control

If you are setting this content folder to be the content folder for a non-webdav website and also a webdav-able website or virtual directory (such that the webmaster can webdav their webcontent to the virtual directory while anonymous users can browse to the website anonymously) you’ll also want to add these accounts:

Iusr_[machinename] – RX, L, R (true of both IIS5 and IIS6)
IIS_WPG – RX, L, R (this is only for IIS6)

You will probably want to entirely remove these accounts:

Everyone group
Users group

When you have your users and permissions set the way you want them, click OK once but don’t leave the properties sheet of the content folder just yet.

Note: Before setting any of these users and permissions, you should consider whether you should to break ntfs inheritance from parent or not. (Visible after clicking the Advanced button on the properties sheet.) This will be up to you to determine as this can work for you and it can work against you. For instance, if you have 300 webmasters updating three hundred secured virtual directories through webdav and you also have 300 websites pathed to the same content directories (but accessing them anonymously) you’ll probably want to set the Iusr account with RX, L, and R perms on the parent folder and let the 300 content folders inherit that account. And you’ll of course want to individually set the specific webmaster’s account to his or her respective folder.

Note: it may also be a good idea to propagate the changes downward (also advanced button…)

Also in Windows Explorer, or in the properties sheet of the content folder rather, select the tab labeled “Web Sharing”

First decide which website or websites you would like this folder to be shared on. The drop-down list for “Share on:” should show all the existing websites.

Not sure about this, but add the corresponding username and give him RX and L for sure. Probably want to give that user “Write” perms as well. And maybe Modify or Full as well?!?!

Very possible you may want to remove the Everyone Group, the Users Group, and the Iusr account.

In the ISM, create either a site or a virtual directory.

On Home Directory Tab, ensure that we have check-marks beside Directory Browsing and Read.

You’ll probably want a check-mark beside Write as well in case you want to “upload” a file.

This is what it will probably look like if you do directory browsing without using IE’s “open as webfolder” checkbox:

You cannot drag and drop files to and from the site this way.

The proper way to “do webdav” from the client side is to open Internet Explorer, expand the File menu, select Open…

Be sure to checkmark the “open as web folder” checkbox and type in the url.

When webdav is working properly and you open the site as a webfolder, it should look something like the following screenshot:

Now you can drag and drop a file from the desktop to the “web folder.”

<<<<<<<<< WEBDAV >>>>>>>>>>>>>

221600 Working with Distributed Authoring and Versioning (DAV) and Web Folders

http://support.microsoft.com/?id=221600

323470 HOW TO: Create a Secure WebDAV Publishing Directory

http://support.microsoft.com/?id=323470

287402 Troubleshooting Web Folders

http://support.microsoft.com/?id=287402

241520 How to Disable WebDAV for IIS 5.0

http://support.microsoft.com/?id=241520

195851 How to Install and Use Web Folders in Internet Explorer 5

http://support.microsoft.com/?id=195851

What is it?

Webdav is an isapi extension, not a filter.

Simple file i/o across http protocol

Think of webdav as an online file share.

WebDAV is an extension to the Hypertext Transfer Protocol (HTTP) that extends

the base set of HTTP methods to include basic file functions such as copying and

moving resources, creating folders or resource collections, locking and unlocking

resources, and setting and retrieving resource properties.

WEC is a Microsoft Office 2000 protocol that is used for Web publishing, and

is usually implemented through the use of Microsoft FrontPage Server

Extensions.

Exchange has its own implementation of WebDav

SharePoint Portal Server uses Web Distributed Authoring and Versioning (WebDAV)

to allow remote client connectivity.

BizTalk uses Web Distributed Authoring and Versioning (WebDAV) and also creates

a virtual directory within IIS.

Support Boundaries:

if webdav is being used with frontpage, then it is the frontpage team that supports it.

if webdav case doesnt have a home, it will come to iis team.

in ISM GUI ... Webdav requires “directory browsing allowed” to be check-marked.

Else 403 forbidden error. See p.72 for flowchart.

To disable, have urlscan deny verbs. Or disable in registry:

241520 How to Disable WebDAV for IIS 5.0 -- http://support.microsoft.com/?id=241520

Tip: good to know specific webdav verbs for when checking log

7 new http verbs:

PropFind (similar to a GET. Starts a webdav session)

PropGet – retrieve a given property

PropPatch, MKCOL, DelCOL, Lock, Unlock.

Make-collection and delete-collection. Create own directory structure.

Translate… lets it stay as source code rather than getting served??? Good for developers?

basic authentication with ssl is okay to use with webdav.

but never use basic by its self and never use anon.

digest, however, hashes the pw on both sides.

attack vectors:

denial of service... some ways... overloading with submission of files andor verbs. can also not release a lock.

every month there are more ways to break webdav. big security holes. see p.69 of spiral binder.

urlscan.ini will disable functionality. otherwise may be able to remove verbs from appmappings.

WebDAV, WebFolder, and MSIPP Resources

The following resources contain more in-depth information about WebDAV, WebFolders, and the Microsoft Internet Publishing Provider:

Distributed Authoring and Versioning Extensions for HTTP Enable Team Authoring
http://www.microsoft.com/msj/defaulttop.asp?page=/msj/0699/dav/davtop.htm

IETF WEBDAV Working Group
http://www.ics.uci.edu/pub/ietf/webdav/

WebDAV in 2 Minutes
http://www.fileangel.org/docs/DAV_2min.html

MSDN Web Storage System Center
http://msdn.microsoft.com/WSS/

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

290111 HOWTO: Move or Copy Folder Items with WebDAV

245359 HOWTO: Open Documents Using Internet Publishing Provider

248501 SAMPLE: Using Rosebud.exe with OLE DB Provider for Internet Publishing from Visual C++

195851 How to Install and Use Web Folders in Internet Explorer 5

File Transfer Alternatives

Because of the NBSD configuration issues and security concerns with FTP, several alternatives to standard FTP are used. One common alternative to FTP is the use of HTTP as a file transfer method, because most firewalls allow HTTP connections over TCP 80 and HTTPS connections over TCP 443. Although Microsoft has supported HTTP-based file transfers for several years in products such as the FrontPage Server Extensions and the Posting Acceptor, the recognized standard for HTTP file transfers is WebDAV, the HTTP extensions for distributed authoring and versioning. Defined by RFC 2518, WebDAV is built into IIS 5.0, and allows the user to use WebDAV shares (that is, folders that are published on a WebDAV-enabled Web server) in much the same way that network shares are used, provided that the connection is made by a client that is capable of communicating with WebDAV (such as Internet Explorer 5.0 and later).

NOTE: For more information on RFC 2518, see the following Web site:

RFC 2518
http://rfc.net/rfc2518.html

Because the FTP service in IIS does not support FTP over Secure Sockets Layer (SSL), if secure communications are important, and FTP is the desired transfer protocol (as opposed to using WebDAV over SSL), consider using FTP over an encrypted channel such as a Virtual Private Network that is secured with Point-to-Point Tunneling Protocol or IPSec. For more information on FTP over SSL, see RFC 2228.

Microsoft Knowledge Base Article - 323470

HOW TO: Create a Secure WebDAV Publishing Directory

View products that this article applies to.

This article was previously published under Q323470

IN THIS TASK

SUMMARY

Create a WebDAV Publishing Directory

Set Up Basic Authentication

Troubleshooting

REFERENCES

SUMMARY

This step-by-step article describes how to create a secure Web Distributed Authoring and Versioning (WebDAV) publishing directory.

back to the top

Create a WebDAV Publishing Directory

1. On the Microsoft Windows 2000 desktop, click My Computer.

2. In the Inetpub directory, create a physical directory. For example, if you name the directory WebDAV, the path to this directory is C:\Inetpub\WebDAV. You can put this directory anywhere except under the Wwwroot directory. Wwwroot is an exception because its default discretionary access control lists (DACLs) are different from those on other directories.

3. Click Start, click Programs, click Administrative Tools, and then open the Internet Information Services (IIS) snap-in. Click to select the Web site in which you want to create the virtual directory, and then map it to the physical directory that you created in step 2.

4. Type WebDAV as the alias for this virtual directory, and then link it to the physical directory that you created in step 2.

5. Reset the default NTFS file system permissions to something more restrictive. Users need at least Read permissions to see the directory. If users want to upload content, users also need Write permissions. (modify???)

6. Grant the Read, Write, and Browsing access permissions for the virtual directory from the IIS Microsoft Management Console (MMC). This grants users the right to publish documents on this virtual directory and to see a list of the files in it. Although Microsoft does not recommend this for security reasons, you can grant the same access to all of your Web site and allow clients to publish to all of your Web server.

NOTE: Granting Write access does not give a client the ability to modify Active Server Pages (ASP) pages or any other script-mapped files. To allow these files to be modified, you must grant Write permissions and Script source access after you create the virtual directory.

back to the top

Set Up Basic Authentication

1. Set up Secure Sockets Layer (SSL).For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

290625 HOWTO: Configure SSL in a Windows 2000 IIS 5.0 Test Environment Using Certificate Server 2.0

2. After you have installed the certificate on the Web server, enable Basic authentication on the WebDAV virtual directory in the IIS MMC:

a. Click Start, click Programs, and then click Administrative Tools.

b. Click Internet Information Services. This opens the MMC for IIS.

c. Locate your WebDAV publishing directory under the Web site that you created. Right-click the directory, and then click Properties.

d. In the window that appears, click the Directory Security tab. Under Anonymous Access and Authentication Control, click Edit. This opens the Authentication Methods window.

e. Click to select Basic authentication for the virtual directory. Make sure that nothing except Basic is selected.

f. Click OK in the next two windows so that the settings take effect.

WebDAV

Web Distributed Authoring & Versioning

Links

http://msdn.microsoft.com/library/periodic/period99/DAV.HTM

http://webdav

http://afd2k/webdav

http://sscomm/webdav

Q Articles

http://support.microsoft.com/support/kb/articles/q195/8/51.asp

How to Install Web Folders with IE 5.0

http://support.microsoft.com/support/kb/articles/q221/6/00.asp

Working with Distributed Authoring and Versioning (DAV) and Web

http://support.microsoft.com/support/kb/articles/q291/8/45.asp

Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources (HOTFIX)

http://support.microsoft.com/support/kb/articles/q173/9/71.asp

HTTP Reply Codes and Messages

http://support.microsoft.com/support/kb/articles/q247/6/43.asp

HTTP/1.1 Error 501 - Not Implemented

http://support.microsoft.com/support/kb/articles/q241/5/20.asp

How to Disable WebDAV for IIS 5.0

http://support.microsoft.com/support/kb/articles/q272/0/79.asp

IIS Search Method May Allow Unauthorized Users a Directory List

WebDAV

HTTP/WebDAV protocol

By Eddie Bowers & Andrew Davis

http://afd2k/WebDAV

What we will cover:

• What is WebDAV?

• What WebDAV means to us

• The 7 Verbs of WebDAV

• WebDAV Headers

• HTTPEXT.DLL

• Why WebDAV?

• WebDAV Errors

• Security and WebDAV

• MS01-016 / Q291845

• Steps to Disable WebDAV

• Q Articles

What is WebDAV (or DAV)?

• Web Distributed Authoring and Versioning

• WebDAV is a proposed extension to HTTP/1.1 protocol (RFC-2518)

• WebDAV allows users to perform web content authoring operations across networks

• WebDAV uses verbs, headers, content-types to provide simple File I/O across HTTP

What WebDAV means to us

• WebDAV means the ability to simple File I/O over HTTP

• File I/O includes the ability to create, edit, and delete files and directories

• WebDAV includes File Locking; two users can’t change file at same time

• WebDAV adds 7 new verbs to HTTP

The 7 Verbs

• PROPFIND – searches for date, size, etc.

• PROPGET – get property of object

• PROPPATCH – update a property of object

• MKCOL – create sub directory

• DELCOL – delete sub directory

• LOCK – lock object

• UNLOCK – unlock object

WebDAV Headers

• Defines properties of WebDAV packet

• When a command comes in, the WebDAV engine uses the header to determine what to do with the command such as delete all the files in current path, or in a different path

• The header also flags the HTTP request as a WebDAV request

HTTPEXT.DLL

• HTTPEXT.DLL provides WebDAV to IIS 5.0

• When HTTP request comes in, if a WebDAV header or Propfind verb is found then the request is passed to the HTTPEXT.DLL

• This process of passing the request is seamless and transparent to the client

Why WebDAV?

• WebDAV supports web authentication methods

• Anonymous

• Basic

• Digest

• Window Integrated

• Can be combined with SSL

• Script Source access allows scripts to be executed while protecting the source code from being viewed

• Disk Quota's allow limiting amount of data transferred

WebDAV Errors

• 102 Processing – WebDAV is running please wait

• 207 Multi-Status – Status report of operations

• 422 Unprocessable Entity – File not found

• 423 Locked – File is currently locked

• 424 Method Failure – Method failed to execute

• 425 Insufficient Space – Low disk space message

Security and WebDAV

• Implement using NTFS permissions and authentication methods of IIS

• Use TLS/SSL and Basic Authentication for internet

• Use Digest for Intranet: Digest = both parties know shared secret, password.

MS01-016 / Q291845

• Flaws exists in the way WebDAV handles a particular type of malformed request. If a stream of such requests were directed at an affected server, it would consume all CPU availability on the server

• Recommendation: System administrators using Microsoft® Internet Information Services 5.0 should apply the patch http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28564

Steps to Disable WebDAV for an Entire IIS 5.0 Web Server
http://www.microsoft.com/technet/support/kb.asp?ID=241520

• Open a command-prompt session

• Stop the IIS services by typing the following command and then pressing ENTER: IISRESET /STOP

• Set ACLs on the Httpext.dll file to everyone no access

• Change the directory to your %SystemRoot%\System32\Inetsrv folder

• Open a command-prompt session and type: CACLS httpext.dll /D Everyone

• Restart the IIS services by typing the following command and then pressing ENTER: IISRESET /START

Q Articles

• Q195851 How to Install and Use Web Folders in Internet Explorer 5

• Q221600 Working with Distributed Authoring and Versioning (DAV) and Web

• Q247643 HTTP/1.1 Error 501 - Not Implemented

• Q272079 IIS Search Method May Allow Unauthorized Users a Directory List

• http://msdn.microsoft.com/library/

• Q241520 How to Disable WebDAV for IIS 5.0

241520 How to Disable WebDAV for IIS 5.0

http://support.microsoft.com/?id=241520

TITLE: DSMSRV:How to upload download files to IIS [SOINET ]

Wants to upload download files. See a [5.00 - W_98512 ]

ID: SOX010313700163 CRT:Mar 13 2020 MOD:Mar 13 2020 STS:Cust

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Proble Description ***

Wants to upload/download files.

See attached sample in SRX010309602508

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Resolution *** 03/13/2001 03:16:23 PM pjkyte

1) The link in Leon's sample 'Upload my Web Folder' will create a LOCAL Web

Folder on the client machine. You can see the web folder on the client machine

by opening up the 'My Network Places'.

2) The Web folder will use, in order of priority.

a) FrontPage Server Extensions, if installed.

b) WebDav

For your purposes I strongly recommend using WebDav rather than the FrontPage

Server Extensions. Whilst the solution will still work on a FrontPage extended

server you will need to set up every user in FrontPage permissions, which is

an administrative detail I think you want to avoid. So in order for the

webfolders to use WebDav you will need to uninstall the Server Extensions. Do

this from the Internet Services Manager. Q234368 gives more detail if you need

it. It doesn't matter if the CLIENT machine has Frontpage installed or not, it

is the presence of the FrontPage Server extensions on the server or not that

is the key.

You have to be very exact in setting permissions in order for this to work.

1) The welcome.asp page must be password protected in order to be able to

obtain the username.

In order to download files by WebDav the following permissions must be setup.

1) NTFS permissions of read on the user folder and read permissions set for the

directory through the Internet Services Manager

2) If you want users to be able to see the list of files available for

download, you need to allow Directory Browsing in the Internet Services

Manager for the user folder

In order to upload files by WebDav the following permissions must be setup.

1) NTFS permissions of write on the user folder and write permissions set for

the directory through the Internet Services Manager

In order to upload ASP files by WebDab the following permissions must be setup

1) Script Source Access in the Internet Services Manager for the user folder.

If you are running into problems you'll want to eliminate caching. We had some

caching problems both on the server-side and the client side. A reboot of the

server and client would eliminate caching as an issue. For other problems, I'd

look into permissions first because I don't list ALL the permissions

neccessary above, just the ones different from default on my machine.

Troubleshooting permissions you'd open the permissions up wider until you hit

the right one, except on the welcome.asp page which should never have

Everyone, or IUSER with access to it.

TITLE: Q323470 How to create a Secure WebDAV Publishin [SRWINNT ]

**Problem** Windows 2000 Server [2000 -W_98927 ]

ID: SOX020424700094 CRT: Apr 24 2002 MOD: Apr 24 2002 STS:Published

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Problem Description ***

Problem: Using FTP with BASIC authentication to upload files to his web site.

Issue: This method provides very little security for his web server.

Resolution: Use a secure method to connect to the web server and then

publish/upload files.

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Resolution *** Apr 24 2002 1:18PM v_bobbid

Using WebDAV with Basic authentication and SSL to encrypt the transmission, will

provide a method for transferring files along with providing security during the

authentication process

Requires IIS 5 or higher

IE 5.0 or higher

Creating a Publishing Directory

The following procedure walks you over setting up a WebDAV publishing directory.

1. On the Windows 2000 Desktop, click My Computer.

2. In the Inetpub directory, create a physical directory. For example, if you call

the directory WebDAV, the path to this directory would look like this:

c:\Inetpub\WebDAV. You can actually put this directory anywhere you want, except

under the WWWROOT directory. WWWROOT is an exception because its default DACLs are

different from those on other directories.

3. In the IIS Snap-in, create a virtual directory.

4. Type WebDAV as the alias for this virtual directory and link it to the physical

directory you created in step 2.

5. Grant Read, Write, and Browsing access permissions for the virtual directory.

(This grants users the right to publish documents on this virtual directory and to

see a list of the files in it. Although not recommended for security reason, you

can grand the same access to your entire Web Site and allow clients to publish to

your entire Web server.)

Note: Grating Write access does not give client the ability to modify Active Server

Pages or any other script-mapped files. To allow these files to be modified, you

must grant Write permission and Script source access after creating the virtual

directory.

Once you finish setting up a WebDAV virtual directory, you can allow clients to

publish to it.

Now that you have the Publishing Directory created all you need is to install an

SSL certificate to enable Secure Communication between the IIS server and the

client requesting the resources. Once the certificate is install, Enable BASIC

authentication on the web site where the publish directory needs to be and give the

appropriate accounts access to the NTFS folders and files under that directory.

To setup SSL please refer to:

Q290625 HOWTO: IIS5: How to Configure SSL in a Windows 2000 IIS 5

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q290625

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

TITLE: IIS6:Unable to view WebDAV foler from Win 2003 [ ]

**Problem** Windows Server 2003 Web [2003 -W_5825 ]

ID: SOX030730700059 CRT: Jul 30 2003 MOD: Jul 30 2003 STS:Customer Verified

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Problem Description ***

After enabling WebDAV on Win 2003 server, you get the following message when trying

to open the folder from IE as a web folder.

"IE was not able to open htt://<URL> as a web folder. Would you like to see its

default view instead?"

This occurs only when accessing the WebDAV folder from a Win 2003 machine. All

other operating systems work fine.

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Resolution *** Jul 30 2003 2:13PM sridevig

Install the Office Web components (OWC10.msi - for Office XP) to install the

WebDAV client. MS Project and Visio also have web components.

IE for Win 2003 does not natively support WebDAV folders.

298637 No Option to Install Web Folders When You Install Internet Explorer 6

http://support.microsoft.com/?id=298637

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

TITLE: Cannot open a WebDAV folder using IE or My Netw [SRINET ]

**Problem** Internet Info Server 5.0 [5.00 -W_98512 ]

ID: SOX031013700105 CRT: Oct 13 2003 MOD: Oct 13 2003 STS:Customer Verified

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Problem Description ***

Problem:

========

- Connecting to a WebDAV folder using Internet Explorer or My Network Places.

- Instead of opening the folder and displaying the contents, the following error

message is displayed by Internet Explorer or My Network Places:

"Could not open as a Web folder. Would you like to see its default view instead"

- When you select the option to open the folder in its default view, you see a

blank screen.

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Resolution *** Oct 13 2003 6:29PM tkincer

Troubleshooting::

==============

- Capture a Netmon trace between the client and server or use WFetch to issue an

OPTIONS request to the server.

- Examine the Netmon trace or look at the Log Output section in WFetch.

- If IIS responds to the OPTIONS request and the response contains the following

header:

MS-Author-Via: MS-FP/4.0,DAV

IE and Network Places will attempt to connect to the WebDAV folder using FrontPage

Server Extensions.

- If FPSE are not installed, the connection attempt will fail and the error message

stated in the problem section will be displayed.

Cause:

======

- The above header is returned by IIS when the "FrontPageWeb" metabase property is

present at the site or virtual directory level.

Resolution:

==========

- Set this property to "0" or remove it completely.

- Once you have done this, the response to the OPTIONS request should contain the

following header:

MS-Author-Via: DAV

and both Internet Explorer and My Network Places will connect to the WebDAV folder

using DAV.

- At this point you will see the contents of the WebDAV folder.

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

IIS Search Method May Allow Unauthorized Users a Directory Listing of a WGID:198

ID: 272079.KB.EN-US CREATED: 2000-08-22 MODIFIED: 2003-04-22

Public |

\* Security : Public

===============================================================================

-------------------------------------------------------------------------------

The information in this article applies to:

- Microsoft Internet Information Services 5.0 (Version: 5.0)

- Microsoft Internet Information Services version 6.0

-------------------------------------------------------------------------------

SYMPTOMS

========

It may be possible for an outside user to use the search

functionality in Web Distributed Authoring and Versioning (WebDAV) to get a

directory listing of a Web site's content area.

NOTE: This is only a problem if Index Server is used on the server

(which is not enabled by default), and the directory lists can only be

generated if the Web site (or resource such as a virtual directory or file) has

the Index property set.

The implications of this are that an

outside user may be able to discover a hidden directory or an include file

(such as a .inc). By using the search feature, a use may be able to get a

directory listing, which would make discovery much easier. This may expose your

Web site to a malicious attack (for example, if a .inc file includes a database

user name and password).

RESOLUTION

==========

To secure your Web site(s) from a possible attack, perform

the following checklist on your Web site(s):

- If you are not using Index Server (for example, you don't have

content on your Web site that you want to have searched), disable or

uninstall the service. -OR-

- In directories that contain sensitive information, make sure to

disable the Index this resource option on the appropriate tab (for

example, a virtual directory on the Virtual Directory tab).

MORE INFORMATION

================

Internet Information Services (IIS) versions 5.0 and later

offer a technology named WebDAV (see RFC2518). Web Distributed Authoring and

Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish,

lock, and manage resources on the Web. Integrated into IIS, WebDAV allows

clients to do the following:

- Manipulate resources in a WebDAV publishing directory on your server.

For example, with this feature, users with the correct permissions can

copy and move files around in a WebDAV directory.

- Modify properties associated with certain resources. For example, a

user can write to and retrieve a file's property information.

- Lock and unlock resources so that multiple users can read a file

concurrently, but only one person at a time can modify the file.

- Search the content and properties of files in a WebDAV directory.

QUERY WORDS

===========

iis 5 iis5 iis 6 iis 6.0 iis6 webdav security

<<\**

For Outsourcer Only:

===================SECURE DATA

===========

DOC INFO: In order to see what we're talking about in this

article, perform the following WebDAV query (via a tool like WebClient for

instance):

SEARCH / HTTP/1.1

Host: football

Content-Type: text/xml

Content-Length: 136

<?xml version="1.0"?>

<g:searchrequest xmlns:g="DAV:">

<g:sql>

Select "DAV:displayname" from scope()

</g:sql>

</g:searchrequest>

NOTE: <Football >is the name of the server we are connecting to with our client.

This will return output like the following (showing all directories and files):

HTTP/1.1 207 Multi-Status

Server: Microsoft-IIS/5.0

Date: Fri, 17 Mar 2000 22:46:47 GMT

Content-Type: text/xml

Transfer-Encoding: chunked

b177

<?xml version="1.0"?><a:multistatus

xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/" xmlns:c="xml:"

xmlns:a

="DAV:"><a:response><a:href>http://football/a.asp</a:href><a:propstat><a:status>H

TTP/1.1 200 OK</a:status><a:prop><a:dis

playname>a.asp</a:displayname></a:prop></a:propstat></a:response><a:response

><a:href>http://football/aa.asp</a:href><a:p

ropstat><a:status>HTTP/1.1 200

OK</a:status><a:prop><a:displayname>aa.asp</a:displayname></a:prop></a:props

tat></a:

response><a:response><a:href>http://football/aaa.bmp</a:href><a:propstat><a:statu

s>HTTP/1.1 200 OK</a:status><a:prop><a:

displayname>aaa.bmp</a:displayname></a:prop></a:propstat></a:response><a:res

ponse><a:href>http://football/aab.bmp</a:hre

f><a:propstat><a:status>HTTP/1.1 200

OK</a:status><a:prop><a:displayname>aab.bmp</a:displayname></a:prop></a:prop

at></a:response><a:response><a:href>http://football/asdfgh.txt</a:href><a:propsta

t><a:status>HTTP/1.1 200 OK</a:status><

a:prop><a:displayname>asdfgh.txt</a:displayname></a:prop></a:propstat></a:re

sponse><a:response><a:href>http://football/b

aronhall.htm</a:href><a:propstat><a:status>HTTP/1.1 200

OK</a:status><a:prop><a:displayname>baronhall.htm</a:displa

yname></a:prop></a:propstat></a:response><a:response><a:href>http://football/baro

nhall.jpg</a:href><a:propstat><a:status

>HTTP/1.1 200

OK</a:status><a:prop><a:displayname>baronhall.jpg</a:displayname></a:prop></

a:propstat></a:response>

NOTE: The user, if vulnerable to this particular 'hack' is

relying, essentially, on security through obscurity. For instance if I have a

file called MyConnection.inc (which contains a connection string containing my

username and password for the database) that is called from an ASP page that is

part of the content area, a user need only know the location to view this in a

browser. This 'hack' using WebDAV only saved that user time. The site was, in

reality, alway vulnerable to this sort of attack.

**/>>

<<\**

For MSInternal Only:

===================

Author: DSTOUT (2000-08-22T19:06:00)

Edit Reviewer:

lauras (2000-09-14T13:56:00)

Tech Reviewer: larryfr (2000-09-11T08:54:00)

**/>>

===============================================================================

\* MSInternal Document Information

\* ===============================

Publishing Keywords : kbiis500 kbiis600 kbiisSearch

Keywords : kbsweptIIS6 kbpending kbprb

Revision Type : Minor

Workgroup : DS M - IIS, Site Server, MCIS [198]

Billing Product : Internet Information Services [5379]

Original Language : EN-US

Source Language : EN-US

\* Assoc. Incident(s):

\* Assoc. Solution(s):

\* Bug Info :

\* Content Status : Published

\* Security : Public

===============================================================================

Created By : DSTOUT Published Date : 2003-04-22

Modified By : a-abyrd Archived Date :

HTTP/1.1 Error 501 - Not Implemented WGID:198

ID: 247643.KB.EN-US CREATED: 1999-12-02 MODIFIED: 2003-04-22

Public |

\* Security : Public

===============================================================================

-------------------------------------------------------------------------------

The information in this article applies to:

- Microsoft Internet Information Services version 6.0

- Microsoft Internet Information Services 5.0 (Version: 5.0)

-------------------------------------------------------------------------------

SYMPTOMS

========

When you attempt to use an unknown method from an Internet client, the following error message occurs:

HTTP/1.1 501 Not Implemented

CAUSE

=====

This behavior is by design. Internet Information Services (IIS) only supports the methods defined in "RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1" and "RFC 2518 - HTTP Extensions for Distributed Authoring -- WEBDAV." The methods are listed in the following table:

+============+==========+=====+=========+

+============+==========+=====+=========+

| CONNECT | HTTP | 2616| 9.9 |

+============+==========+=====+=========+

| COPY | WEBDAV | 2518| 8.8 |

+============+==========+=====+=========+

| DELETE | HTTP | 2616| 9.7 |

+============+==========+=====+=========+

| GET | HTTP | 2616| 9.3 |

+============+==========+=====+=========+

| HEAD | HTTP | 2616| 9.4 |

+============+==========+=====+=========+

| LOCK | WEBDAV | 2518| 8.10 |

+============+==========+=====+=========+

| MKCOL | WEBDAV | 2518| 8.1 |

+============+==========+=====+=========+

| MOVE | WEBDAV | 2518| 8.9 |

+============+==========+=====+=========+

| OPTIONS | HTTP | 2616| 9.2 |

+============+==========+=====+=========+

| POST | HTTP | 2616| 9.5 |

+============+==========+=====+=========+

| PROPFIND | WEBDAV | 2518| 8.1 |

+============+==========+=====+=========+

| PROPPATCH | WEBDAV | 2518| 8.2 |

+============+==========+=====+=========+

| PUT | HTTP | 2616| 9.6 |

+============+==========+=====+=========+

| TRACE | HTTP | 2616| 9.8 |

+============+==========+=====+=========+

| UNLOCK | WEBDAV | 2518| 8.11 |

+============+==========+=====+=========+

MORE INFORMATION

================

For more information on these topics, please see the information at the following:

- ftp://ftp.isi.edu/in-notes/rfc2616.txt: RFC 2616 - Hypertext Transfer

Protocol -- HTTP/1.1

- ftp://ftp.isi.edu/in-notes/rfc2518.txt: RFC 2518 - HTTP Extensions

for Distributed Authoring -- WEBDAV

QUERY WORDS

===========

prod2web

<<\**

For Outsourcer Only:

===================

Author: robmcm (1999-12-02T16:05:00)

Edit Reviewer: lauras (1999-12-15T15:44:00)

Tech Reviewer: benba (1999-12-13T11:47:00)

**/>>

===============================================================================

\* MSInternal Document Information

\* ===============================

Publishing Keywords : kbiis500 kbiis600 kbiisSearch

Keywords : kbsweptIIS6 kbhttp501 kbnofix kbprb kbProd2Web

Revision Type : Minor

Workgroup : DS M - IIS, Site Server, MCIS [198]

Billing Product : Internet Information Services [5379]

Original Language : EN-US

Source Language : EN-US

\* Assoc. Incident(s):

\* Assoc. Solution(s):

\* Bug Info :

\* Content Status : Published

\* Security : Public

===============================================================================

Created By : robmcm Published Date : 2003-04-22

Modified By : a-abyrd Archived Date :

http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/WINDOWS2000/en/server/iis/htm/core/wcwdcp.htm

About WebDAV

Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Integrated into IIS, WebDAV allows clients to do the following:

· Manipulate resources in a WebDAV publishing directory on your server. For example, with this feature, users with the correct permissions can copy and move files around in a WebDAV directory.

· Modify properties associated with certain resources. For example, a user can write to and retrieve a file's property information.

· Lock and unlock resources so that multiple users can read a file concurrently, but only one person at a time can modify the file.

· Search the content and properties of files in a WebDAV directory.

Setting up a WebDAV publishing directory on your server is as straightforward as setting up a virtual directory through the IIS snap-in. Once you have set up your publishing directory, users with the correct permissions can publish documents to the server and manipulate files in the directory. Before you can set up a WebDAV directory, you must install Windows 2000 Professional, Windows 2000 Server, or Windows 2000 Advanced Server.

WebDAV Clients

You can access a WebDAV publishing directory through one of the Microsoft products described in the following list or through any other client that supports the industry standard WebDAV protocol.

· Windows 2000 connects to a WebDAV server through the Add Network Place Wizard and displays the contents of a WebDAV directory as if it were part of the same file system on your local computer. Once connected, you can drag and drop files, retrieve and modify file properties, and do many other file-system tasks.

· Internet Explorer 5 connects to a WebDAV directory and lets you do the same file-system tasks as you can through Windows 2000.

· Office 2000 creates, publishes, edits, and saves documents directly into a WebDAV directory through any application in Office 2000.

Searching in WebDAV

Once connected to a WebDAV directory, you can quickly search the files on that directory for content as well as properties. For example, you can search for all files that contain the word table or for all files written by Fred.

Integrated Security

Because WebDAV is integrated with Windows 2000 and IIS 5.0, it borrows the security features offered by both. These features include the IIS permissions specified in the IIS snap-in and the discretionary access control lists (DACLs) in the NTFS file system. For information about IIS 5.0 security, see Security.

Because clients with proper permissions can write to a WebDAV directory, it is vital that you can control who is accessing your directory at all times. To help control access, IIS 5.0 has reinforced Integrated Windows authentication by building in support for the Kerberos 5 authentication protocol. By selecting Integrated Windows authentication, you can make sure that only clients with permission can access and write to the WebDAV directory on your intranet. For more information about how the Kerberos 5 authentication protocol works with IIS Integrated Windows authentication, see Integrated Windows Authentication. For information about how the Kerberos protocol works in general, see "Kerberos v5 Authentication" in the Microsoft Windows 2000 Server documentation.

In addition, IIS 5.0 introduces a new type of authentication called Digest authentication. Created for Windows domain servers, this type of authentication offers tighter security for passwords and for transmitting information across the Internet. For information about Digest authentication, see Digest Authentication and Configuring Digest Authentication.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/pub_dav_aboutwebdav.asp

About WebDAV

Important In order to take a more proactive stance against malicious users and attackers, IIS is not installed on members of the Microsoft® Windows® Server 2003 family by default. Furthermore, when you initially install IIS, the service is installed in a highly secure and "locked" mode. By default, IIS serves only static content -- meaning features like ASP, ASP.NET, Server-Side Includes, WebDAV publishing, and FrontPage® Server Extensions do not work unless enabled. If you do not enable this functionality after installing IIS, IIS returns a 404 error. You can serve dynamic content and enable these features through the Web Service Extensions node in IIS Manager. Also, if an application extension is not mapped in IIS, IIS returns a 404 error. To map an extension, see Setting Application Mappings. For more information on how to troubleshoot 404 errors, including 404.2 and 404.3; issues related to a new installation of IIS 6.0; or an upgrade from a previous version of IIS, see Troubleshooting.

Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web.

Integrated into IIS, WebDAV allows clients to do the following:

· Manipulate resources in a WebDAV publishing directory on your server. For example, users who have been assigned the correct rights can copy and move files around in a WebDAV directory.

· Modify properties associated with certain resources. For example, a user can write to and retrieve a file's property information.

· Lock and unlock resources so that multiple users can read a file concurrently. However, only one person can modify the file at a time.

· Search the content and properties of files in a WebDAV directory.

Setting up a WebDAV publishing directory on your server is as straightforward as setting up a virtual directory through IIS Manager. After you have set up your publishing directory, users who have been assigned the correct rights can publish documents to the server and manipulate files in the directory. Before you can set up a WebDAV directory, you must install Windows XP Professional or a member of the Windows Server 2003 family.

WebDAV Clients

You can access and publish to a WebDAV directory through one of the following Microsoft products or through any other client that supports the industry standard WebDAV protocol. For the specific procedure on how to access and publish through these Microsoft products, consult the specific product's Help.

· Windows clients (Windows 2000 and Windows XP): Connect to a WebDAV directory by adding the directory to the list of Network Places and display the contents as if it were part of the same file system on your local computer. Once connected, you can drag and drop files, retrieve and modify file properties, and complete many other file-system tasks. You can also connect using the command-line client (known as WebDAV Redirector). This client allows you to use existing applications across the Web and share files through firewalls and proxy servers.

· Internet Explorer (versions 5.0 and 6.0): Connect to a WebDAV directory by opening the target directory as a Web folder and complete the same file-system tasks as Windows clients.

· Microsoft Office products (Office 2000 and Office XP): Create, publish, edit, and save documents directly into a WebDAV directory through any application in Office 2000 or Office XP.

Note Even if users connect from behind a firewall, they can still publish on a WebDAV directory if they have the correct permissions and if the firewall is configured to allow publishing.

When enabling WebDAV publishing on your intranet, ensure that all WebDAV clients are running the WebClient service.

To check the status, or to enable the WebClient service on a WebDAV client machine

1. From the Start menu, point to Administrative Tools, and click Computer Management .

2. In the details pane, double-click Services and Applications.

3. Double-click Services.

4. Scroll down, right-click WebClient, and click Properties.

5. In the Startup type list box, click Automatic.

6. Click Apply.

7. In the Service status section, click Start.

8. Click OK.

Searching in WebDAV

Integrated Security

WebDAV is integrated with the Windows Server 2003 family and IIS, which means WebDAV takes advantage of the security features offered by the platform and the Web server, including permissions control and discretionary access control lists (DACLs) in the NTFS file system. For information about IIS security, see Security.

Clients with proper user rights can write to a WebDAV directory, so it is vital that you control who accesses your directory. IIS has reinforced Integrated Windows Authentication by building in support for the Kerberos V5 security protocol. (Note that Integrated Windows authentication and Kerberos V5 are not the same thing. Integrated Windows authentication now supports Kerberos V5.) By selecting Integrated Windows authentication, you can make sure that only clients with the correct user rights can access and write to the WebDAV directory on your intranet. For information about how the Kerberos V5 protocol works, see "Kerberos V5 protocol" in Windows Server 2003 family Help.

In addition, IIS supports Digest authentication and Advanced Digest authentication. Created for Windows domain servers, Digest and Advanced Digest authentication offer tighter security for passwords and for transmitting information across the Internet. For information about Digest authentication, see Digest Authentication. For information about Advanced Digest authentication, see Advanced Digest Authentication.

Related Topics

· For more information on file and directory security, see Encrypting File System (EFS). EFS is a new feature in Windows Server 2003 family.

http://www.iisfaq.com/default.aspx?View=A554&P=80

Creating WebDav Publishing Directories

Creating WebDav Publishing Directories

Before setting up your WebDAV publishing directory, ensure that your publishing directory resides in an NTFS partition and be sure the WebDAV extension is enabled in IIS Manager.

WebDAV publishing and file management requires the following permissions on the NTFS directory:

Read: Enables users to read the contents of a file.
Read and Execute: Enables user to read a file and run scripts or Common Gateway Interfaces (CGIs).
List: Enables users to view the contents of the directory.
Write: Enables users to access and change the source of a script and to publish files.
Modify: Enables users to rename or delete a directory or file.

Note Assigning Write access does not give clients the ability to modify Active Server Pages (ASP) or any other script-mapped files. To allow these files to be modified, you must assign Write permission and Script source access after creating the virtual directory. For information about setting these permissions, see Securing Sites with Web Site Permissions.

WebDAV publishing and file management requires the following permissions on the IIS virtual directory:

Read: Enables users to read the contents of a file.
Directory Browsing: Enables users to view the contents of the directory.
Write: Enables users to access and change the source of a script and to publish files.
Indexing (optional): Enables users to search a directory.

Important You must be a member of the Administrators group on the local computer to perform the following procedure (or procedures), or you must have been delegated the appropriate authority. As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. From the command prompt, type runas /user:administrative_accountname "mmc %systemroot%\system32\inetsrv\iis.msc".

To set up a publishing directory

Create a directory on your Web server and set the desired NTFS permissions. You can create this directory anywhere on your Web server.
In IIS Manager, create a virtual directory and set the desired virtual directory permissions.
Type WebDAV as the alias for this virtual directory, and link it to the physical directory you created in Step 1.

After you finish setting up a WebDAV virtual directory, you can allow clients to publish to it.

http://iishelp.web.cern.ch/IISHelp/iis/htm/core/wcwbdav.htm

WebDAV Publishing

This section explains how to set up a WebDAV publishing directory on an IIS 5.0 server, and tells how clients can connect to the server to edit and manipulate files.

This section includes:

· About WebDAV: Explains how WebDAV can create directories from which remote users can publish and manipulate files.

· Creating a Publishing Directory: How to set up a WebDAV publishing directory.

· Managing WebDAV Security: Provides tips on how to optimize IIS 5.0 and Windows 2000 security to secure your WebDAV site.

· Searching a WebDAV Directory: How to configure a WebDAV directory so that users can search it for content and document properties.

· Publishing and Managing Files: How to publish content and manipulate files through Windows 2000, Internet Explorer, and Office 2000.

Note WebDAV is an implementation of the HTTP 1.1 proposed draft and is therefore not available for non-HTTP services, such as FTP sites. Also, this implementation is currently for IIS 5.0 only.

About WebDAV

· Manipulate resources in a WebDAV publishing directory on your server. For example, with this feature, users with the correct permissions can copy and move files around in a WebDAV directory.

· Modify properties associated with certain resources. For example, a user can write to and retrieve a file's property information.

· Lock and unlock resources so that multiple users can read a file concurrently, but only one person at a time can modify the file.

· Search the content and properties of files in a WebDAV directory.

WebDAV Clients

You can access a WebDAV publishing directory through one of the Microsoft products described in the following list or through any other client that supports the industry standard WebDAV protocol.

· Internet Explorer 5 connects to a WebDAV directory and lets you do the same file-system tasks as you can through Windows 2000.

· Office 2000 creates, publishes, edits, and saves documents directly into a WebDAV directory through any application in Office 2000.

Searching in WebDAV

Integrated Security

Creating a Publishing Directory

The following procedure walks you through setting up a publishing directory called WebDAV.

To set up a publishing directory

1. On the Windows 2000 Desktop, click My Computer.

2. In the Inetpub directory, create a physical directory.

For example, if you call the directory WebDAV, the path to this directory would look like this: C:\Inetpub\WebDAV

You can actually put this directory anywhere you want, except under the Wwwroot directory. Wwwroot is an exception because its default DACLs are different from those on other directories.

3. In the IIS snap-in, create a virtual directory.

For instructions, see Creating Virtual Directories.

4. Type WebDAV as the alias for this virtual directory, and link it to the physical directory you created in step 2.

5. Grant Read, Write, and Browsing access permissions for the virtual directory.

You are granting users the right to publish documents on this virtual directory and to see a list of the files in it. Although not recommended for security reasons, you can grant the same access to your entire Web site and allow clients to publish to your entire Web server.

Note Granting Write access does not give clients the ability to modify Active Server Pages (ASP) or any other script-mapped files. To allow these files to be modified, you must grant Write permission and Script source access after creating the virtual directory. For information about setting these permissions, see Setting Web Server Permissions.

Once you finish setting up a WebDAV virtual directory, you can allow clients to publish to it. For information on how users can connect to the directory through any of the Microsoft WebDAV Clients, see Publishing and Managing Files.

Managing WebDAV Security

This section describes the recommended best practices for setting up secure remote publishing. You will learn how to protect your server and content by coordinating different aspects of security into an integrated whole. These aspects of security include:

· Authenticating Clients

· Controlling Access

· Denying Service

Authenticating Clients

IIS offers the following levels of authentication:

· Anonymous

· Basic

· Integrated Windows

· Digest

The best way to configure a WebDAV directory depends on the kind of publishing you want to do. When you create a virtual directory through IIS 5.0, Anonymous and integrated Windows authentication are both turned on. Although this default configuration works well for clients connecting to your server, reading content on a Web page, and running scripts, it does not work well with clients publishing to a directory and manipulating files in that directory.

Anonymous access grants anyone access to the directory, and therefore, you should turn it off for a WebDAV directory. Without controlling who has access, your directory could be vandalized by unknown clients. For more information, see Anonymous Authentication.

Basic authentication sends passwords over the connection in clear text. Because clear text can easily be intercepted and read, you should turn on Basic authentication only if you encrypt passwords through Secure Sockets Layer (SSL). For more information, see Basic Authentication and Setting Up SSL on Your Server.

Integrated Windows authentication works best when you are setting up a WebDAV directory on an intranet. For more information, see Integrated Windows Authentication.

Digest authentication is the best choice for publishing information on a server over the Internet and through firewalls. For more information, see Digest Authentication.

Controlling Access

This section describes how you can control access to your WebDAV directory by coordinating IIS 5.0 and Windows 2000 permissions, and how you can protect your script files.

Setting up Web Permissions

This section recommends various ways to configure Web permissions based on the purpose of the material you are publishing.

· Read, Write, Directory browsing enabled Turning on these permissions lets clients see a list of resources, modify them (except for those resources without Write permission), publish their own resources, and manipulate files.

· Write enabled, Read, and Directory browsing disabled If you want clients to publish private information on the directory, but do not want others to see what has been published, set Write permission, but do not set Read or Directory browsing permission. This configuration works well if clients are submitting ballots or performance reviews.

· Read and Write enabled, and Directory browsing disabled Set this configuration if you want to rely on obscuring file names as a security method. However, be aware that security by obscurity is a low-level security precaution, because a vandal could guess file names by trial and error.

· Index this resource enabled Be sure to enable Indexing Service if you plan to let clients search directory resources.

For more information about Web permissions, see Setting Web Server Permissions.

Controlling Access with DACLs

When setting up a WebDAV publishing directory on an NTFS file system drive, Windows 2000 Server gives everyone Full Control by default. Change this level of permission so that everyone has Read permission only. Then grant Write permission to certain individuals or groups.

For more information about NTFS permissions, see NTFS Permissions.

Protecting Script Code

If you have script files in your publishing directory that you do not want to expose to clients, you can easily deny access to these files by making sure Script source access is not granted. Scripts include files with extensions that appear in the Applications Mapping list. All other executable files will be treated as static HTML files, including files with .exe extensions, unless Scripts and Executables is enabled for the directory.

To prevent .exe files from being downloaded and viewed as HTML files, but to allow them to be run, on the Virtual Directory property sheet of the publishing directory, change the Execute Permissions to Scripts and Executables. This level of permission will then make all executable files subject to the Script source access setting. In other words, if Script source access is selected, clients with Read permission can see all executables, and clients with Write permission can edit them, as well as run them.

With the following permissions, clients can write to an executable file that does not appear in the Application Mapping:

· Write permission is granted.

· Execute Permissions is set to Scripts only.

With the following permissions, clients can also write to an executable file:

· Script source access is granted.

· Execute Permissions is set to Scripts and Executables.

Denying Service

Dragging and dropping extremely large files into a WebDAV directory could take up a large amount of disk space. To limit this amount, you can set a quota on disk usage. To learn more about disk quotas, see “Disk Quotas Overview” in the Windows 2000 Server documentation.

For more information about security, see IIS Security Checklist.

Searching a WebDAV Directory

Once you have created a WebDAV publishing directory, you may want to allow users to search for content and file properties.

To set up your publishing directory for searching

1. If you want to let clients search for resource properties, make sure the directory is on a drive formatted for NTFS.

If you put the directory on a drive formatted for the file allocation table (FAT) file system, clients can search for resource content, but cannot search for resource properties.

2. Make sure Indexing Service is running on your server by typing the following at the command prompt:

net start cisvc

3. In the IIS snap-in, check the Virtual Directory properties for your WebDAV directory to make sure Index this resource and Read access options have been selected.

If Index this resource is not selected, Indexing Service will not create a catalog for that directory, and therefore, no one will be able to search it. If Read access has not been selected, a client can search the directory, but will not be able to see the results of the search. For details on setting IIS 5.0 permissions for a virtual directory, see Setting Web Server Permissions.

Creating a Search Tool

The Microsoft implementation of WebDAV allows you to create a tool for clients to search a directory for content or properties or both. The following example shows a basic search command from which you can create a tool:

SEARCH /webdav HTTP/1.1

Host: iis

Content-Type: text/xml

Content-Length: 157

<?xml version="1.0"?>

<g:searchrequest xmlns:g="DAV:">

<g:sql> Select "DAV:displayname"

FROM SCOPE()

</g:sql>

</g:searchrequest>

For details on creating a search tool, see the Microsoft® Platform SDK.

Searching for Properties

There are two kinds of properties: server defined and user defined.

Server-defined properties include all properties created and maintained by the server. These properties are Read-only, and therefore, cannot be modified. Examples include the date a document was created and when it was last modified.

User-defined properties include all properties that can be created and modified by a user. Examples include the author of a document and the document's title. If you want clients to be able to find documents based on a user-defined property, you must create the property or make sure that it already exists.

Along with existing properties that users can define and modify, you can create your own custom properties. This means you could create a custom property called Source which names any resource consulted in developing a document. A user could then search a site for all documents developed from a certain source. The following example shows a property which names resources at the Library of Congress.

where contains ("Source", "Library of Congress")

Note Currently, WebDAV only supports searching for custom properties that are strings.

Publishing and Managing Files

This section tells how users can connect to a WebDAV publishing directory, publish documents by dragging them from their computers to the publishing directory, and manipulate files in the directory.

This section includes:

· Publishing through Windows 2000: Explains how to connect to a WebDAV server through the Web Folders feature in the Network Neighborhood.

· Publishing through Internet Explorer 5: Explains how to connect to a WebDAV server and manipulate files in Internet Explorer 5.

· Publishing through Office 2000: Explains how to manage files and edit them directly on a WebDAV virtual directory.

Note Even if users connect from behind a firewall, they can still publish on a WebDAV directory if they have the correct permissions and if the firewall is configured to allow publishing.