Deciding If and How to Disable WebDAV Access

Is it possible to disable WWW Distributed Authoring and Versioning (WebDAV) access to Exchange Server 2003 systems?

Well, yes and no. Let me explain.

Microsoft IIS implements DAV in a DLL named HTTPExt.dll. Exchange 2003 and Exchange 2000 Server both support WebDAV by using a custom DAV implementation that lives in the DLLs DAVEx.dll and ExProx.dll. This separation makes it possible to disable WebDAV for IIS without disabling Exchange's WebDAV implementation. If that's what you're asking how to do, you can either set NTFS permissions that prevent the reading of HTTPExt.dll, or set the registry entry DisableWebDav, which the Microsoft article "How to disable WebDAV for IIS 5.0" (http://support.microsoft.com/?kbid=241520) describes. In either case, Exchange will be unaffected.

If you're trying to disable Exchange 2003's DAV implementation, be aware that Outlook Web Access (OWA) and several other Exchange components depend on DAV. By blocking specific DAV verbs at the network level (through a firewall) or by installing URLScan, you will break the Exchange DAV implementation. Make sure that the damage this will cause is worth whatever benefit you hope to gain.