IIS Informant: Using Web Folders with WebDAV

I've seen references to using WWW Distributed Authoring and Versioning (WebDAV) to publish content to an IIS Web server, but I'm not familiar with this method. What's the difference between using a Web folder and using WebDAV? Also, can you use WebDAV on a Windows NT 4.0 server running IIS 4.0?

WebDAV, which the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2518 spells out, is a standard for using HTTP and port 80 to manage files on a server. (For more information about this standard, go to http://www.ietf.org/rfc/rfc2518.txt.) This standard lets you publish files to a server without using any specialized client software, such as FTP or Microsoft FrontPage. Additionally, you can delete, create, copy, lock, and query the properties of files on a server. All these operations occur over HTTP and through port 80, so you can't use firewalls that aren't application-aware (i.e., sufficiently aware of the content so that the firewall can deny or allow specific types of HTTP traffic) to block the port.

To access a WebDAV-enabled server (i.e., IIS 6.0 on Windows .NET Server—formerly code-named Whistler, IIS 5.1 on Windows XP, and IIS 5.0 on Windows 2000), first create a Web folder by opening Microsoft Internet Explorer (IE) 5.x or later and following these steps:

A Web folder window will open and reveal the files and directories on the server, presuming you have the proper permissions.

Using Web folders with non-WebDAV OSs. Web folders aren't limited to .NET Server, XP, and Win2K. You can also create them on a Windows 95 machine with IE 5.x. How can Web folders exist on a Win95 machine accessing an NT 4.0 (i.e., non-WebDAV) machine? The answer is that Web folders will use FrontPage Server Extensions to provide file-management capabilities as if the Web folders were WebDAV folders. You could say that the server extensions provided WebDAV capability before the WebDAV standard existed.

Securing WebDAV. So, Web folders let you manage files on an IIS 4.0 server by using FrontPage Server Extensions or on an IIS 6.0, IIS 5.1, or IIS 5.0 server by using a WebDAV provider. From a security perspective, let's examine a scenario in which the server extensions aren't available (i.e., you use WebDAV). If you want to provide users with the ability to write files to your server, you must enable the Write Web-based permission. (For more information about Web-based permissions, see "The Truth About Web-Based Permissions," January 2002, InstantDoc ID 23280.) This permission lets anyone who has the proper NTFS permissions write to your server. In addition, if you haven't enabled the Script source access permission, users can't publish scripts defined in the Web site's application mappings. Consequently, you have to enable Write and Script source access permissions for the Web folder or Web site.

One advantage of WebDAV is the ability to open the Web site as a Web folder on a remote client computer. If you don't enable the Directory browsing permission, the Web Folder window appears empty. Therefore, you'll probably have to enable all Web-based permissions in the Microsoft Management Console (MMC) Internet Information Services snap-in to effectively use WebDAV. (You set Web-based permissions in the Web site's Properties dialog box, which Figure 1 shows.)

The problem with enabling Web-based permissions is that doing so places an extreme burden on NTFS. For example, if you disable Write permission on a Web folder in the Internet Information Services snap-in, users can't use WebDAV to write to the folder, even if they have full control. Your Web-based permissions are protecting you against an error in the configuration and management of what's often a complex and difficult-to-administer plan for NTFS permissions. By enabling all the Web-based permissions, you're in effect saying that your NTFS permissions plan and administration must be perfect. Nevertheless, WebDAV is useful and easy to implement. And being able to open a Web folder on a remote IIS server and drag files to the folder to immediately publish content is great.

Disabling WebDAV. If your users don't require WebDAV's functionality, I suggest that you disable it. One way to do so is to disable all access to httpext.dll by either removing all ACLs from the file or setting Deny Full Control permission on the Everyone group. (For more information about disabling httpext.dll, see the Microsoft article "How to Disable WebDAV for IIS 5.0" at http://support.microsoft.com/default.aspx?scid=kb;en-us;q241520.) Using ACLs to deny access is the technique that the original IIS Lockdown Tool used to disable WebDAV. Personally, I think this technique is a bad idea: When you install hotfixes or service packs, httpexe.dll won't be updated because the System account doesn't have access. However, using ACLs to provide the System account with access enables WebDAV—it's a catch-22.

Another way to disable all access to httpext.dll is to prevent HTTP requests that contain WebDAV verbs from reaching IIS. To do so, inspect incoming HTTP requests for these WebDAV verbs:

Inspecting the incoming packets requires an application-aware firewall that prevents unwanted traffic from ever reaching the Web server. As an alternative, you can install Microsoft UrlScan, which is part of the new IIS Lockdown Tool 2.1. The IIS Lockdown Tool is available for download from http://www.microsoft.com/downloads/release.asp?releaseid=33961. You can configure UrlScan to allow or deny client requests to the server based on content.

As an aside, WebDAV is implemented in .NET Server and XP as a network redirector. As a result, you can map drives to content on a Web server either by using a Net Use command, such as

net use f: http://www.website.com/directory

or by using a Web site address as a Universal Naming Convention (UNC) pathname.