[This is preliminary documentation and subject to change]

Managing WebDAV Security

This section describes the recommended best practices to set up secure remote publishing. You will learn how to protect your server and content by coordinating different aspects of security into an integrated whole. These aspects of security include:

• Authenticating Clients
• Controlling Access
• Denying Service

Authenticating Clients

IIS offers the following levels of authentication:

• Anonymous
• Basic
• Integrated Windows
• Digest
• Advanced Digest

The best way to configure a WebDAV directory depends on the kind of publishing you want to do. When you create a virtual directory through IIS, Anonymous and Integrated Windows authentication are both turned on. Although this default configuration works well for clients connecting to your server, reading content on a Web page, and running scripts, it does not work well with clients publishing to a directory and manipulating files in that directory.

Anonymous access grants anyone access to the directory, and therefore, you should turn it off for a WebDAV directory. Without controlling who has access, your directory could be vandalized by unknown clients. For more information, see Anonymous Authentication.

Basic authentication sends passwords over the connection in clear text. Because clear text can easily be intercepted and read, you should turn on Basic authentication only if you encrypt passwords through Secure Sockets Layer (SSL). For more information, see Basic Authentication and Setting Up SSL on Your Server.

Digest authentication is a good choice for publishing information on a server that is accessed over the Internet and through firewalls because the passwords are sent over the network as an MD5 hash. However, passwords are stored as plain text in Active Directory. For more information, see Digest Authentication.

Advanced Digest authentication is an improvement over digest authentication because in addition to sending passwords over the network as an MD5 hash, the passwords are also stored in Active Directory as an MD5 hash rather than plain text. This makes Advanced Digest the best choice for publishing information on a server that is accessed over the Internet and through firewalls. For more information, see Advanced Digest Authentication.

Integrated Windows authentication works best when you are setting up a WebDAV directory on an intranet. For more information, see Integrated Windows Authentication.

Controlling Access

This section describes how you can control access to your WebDAV directory by coordinating IIS and Windows Whistler permissions, and how you can protect your script files.

Configuring Web Permissions

This section recommends various ways to configure Web permissions based on the purpose of the material you are publishing.

• Read, Write, Directory browsing enabled   Turning on these permissions lets clients see a list of resources, modify them (except for those resources without Write permission), publish their own resources, and manipulate files.
• Write enabled; and Read and Directory browsing disabled   If you want clients to publish private information on the directory, but do not want others to see what has been published, set Write permission and do not set Read or Directory browsing permission. This configuration works well if clients are submitting ballots or performance reviews.
• Read and Write enabled; and Directory browsing disabled   Set this configuration if you want to rely on obscuring file names as a security method. However, be aware that security by obscurity is a low-level security precaution because a vandal could guess file names by trial and error.
• Index this resource enabled   Be sure to enable Indexing Service if you plan to let clients search directory resources.

For more information about Web permissions, see Setting Web Server Permissions.

Controlling Access with DACLs

When setting up a WebDAV publishing directory on an NTFS file system drive, Windows Whistler Server gives everyone Full Control by default except in the Wwwroot directory. Change this level of permission so that the Everyone group has Read permission only. Then grant Write permission to certain individuals or groups.

For more information about NTFS permissions, see NTFS Permissions.

Protecting Script Code

If you have script files in your publishing directory that you do not want to expose to clients, you can deny access to these files by verifying that Script source access is not granted. Scripts include files with extensions that appear in the Applications Mapping list. All other executable files are treated as static HTML files, including files with .exe extensions, unless Scripts and Executables is enabled for the directory.

To prevent .exe files from being downloaded and viewed as HTML files, but to allow them to be run, on the Virtual Directory property sheet of the publishing directory, change the Execute Permissions to Scripts and Executables. This level of permission makes all executable files subject to the Script source access setting. With Script source access is selected, clients with Read permission can see all executables, and clients with Write permission can edit them, as well as run them.

With the following permissions, clients can write to an executable file that does not appear in the Application Mapping:

• Write permission is granted.
• Execute Permissions is set to Scripts only.

With the following permissions, clients can also write to an executable file:

• Script source access is granted.
• Execute Permissions is set to Scripts and Executables.

Denying Service

Dragging and dropping extremely large files into a WebDAV directory could take up a large amount of disk space. To limit this amount, you can set a quota on disk usage. To learn more about disk quotas, see "Disk Quotas Overview" in the Windows Whistler Server documentation.

For more information about security, see IIS Security Checklist.

© 1997-2001 Microsoft Corporation. All rights reserved.