 |
|
^ click above ^ |
08.14.03
 By Brett
Hill
The basic purpose of WebDAV is to provide file I/O through HTTP. This permits
your to load, edit, delete, create subdirectories, and basically manage files
located on the Web Server from the client desktop. Of course, MS has several products
that already permit remote manipulation of remote websites.
FTP permits you to upload, download, navigate and manipulate files, but
has limited security features. You have to install the FTP server as well which
consumes resources and requires administration.
Posting Acceptor by MS has been around a while and does permit you to upload files
to website, but requires greater permissions to use than you may be comfortable
with while providing limited flexibility.
Front Page and Visual Interdev certainly permits the client to post and manipulate
files on an IIS Frontpage web but also creates administrative headaches and is
proprietary to MS.
Enabling WebDAV |
WebDAV is aimed at making it easy. You can use it without installing any additional
server services or client services. Recently, I had an email exchange with an
IIS administrator who was fuming about his experience trying to find a way to
turn on WebDav. There’s the first surprise. It’s already on.
Web Dav is actually a custom extension by MS of HTTP 1.1. These http extensions
are built into IIS 5.0 and IE 5.0. In other words, once you have installed IIS
5, when you access it from IE 5 or from ‘My Network Places’, you are Web Dav enabled.
No setups switches to turn on. The downside is that you can’t turn it OFF either.
Gulp.
FYI, WebDAV is also supported by Exchange 2000.
WebDAV Standards and Specifications
Since WebDAV is a standard being worked on by the W3C, it’s not an MS invention.
There are WebDAV clients and utilities out there that work with WebDAV servers
other than MS products. It’s defined in RFC-2518. Of course, MS being MS, they
added their not insignificant bit of functionality which we’ll get into later.
The basic WebDAV RFC extends HTTP by adding some additional verbs.
- PROPFIND – searches for properties for an object
- PROPGET – retrieve a property from an object
- PROPPATCH – update a property of an object
- MKCOL – make a subdirectory
- DELCOL – delete a subdirectory
- LOCK – lock a file or object
- UNLOCK – release the lock
Microsoft has additional functionality via the TRANSLATE header. The TRANSLATE
header is designed to permit you to download script source to via your browser
rather than have it rendered. This capability is already present in systems for
use with FrontPage and Visual InterDev. The purpose of the new “Script Source
Access” checkbox in IIS 5 websites and virtual directory properties is to turn
on and off the use of the TRANSLATE header. However, even if off, WebDAV is still
enabled.
Join our new forums at WebProWorld! Ask
your toughest questions or help your peers solve their issues. |
|
In addition to these verbs, six new HTTP errors were added:
- 102 Processing – WebDAV is running please wait
- 207 Multi-Status – A general status report of operations
- 422 Unprocessable Entity – essentially means, file not found
- 423 Locked – The file you are accessing is currently locked
- 424 Method Failure – the method failed to complete
- 425 Insufficient Space – out of disk space
IIS 5.0 checks every communication for WebDAV content and routes appropriate packets
to httpext.dll. Httpext.dll is an ISAPI extension, but unlike ASP.dll, it is not
to be found in the application mappings. So what’s the deal? Since WebDAV is not
actived by a file extension and is contained in the HTTP protocol, it cannot be
mapped in the same way. Like I said before, you can’t turn it off.
UPDATE: As of SP3 (or SR1) there is a new registry property that disables WebDAV
for the entire server. See Q241520.
WebDAV Properties
WebDAV permits the use of non-operating associated properties to be associated
with files. Since they are not part of the file system, these properties are stored
in the metabase. They can be extended and searched using custom tools. For example,
if a file is locked via WebDAV property keys, that WebDAV properties for that
file are updated. For more information about this and other related WebDAV capabilites,
see the IIS 5 online documentation.
Connecting to WebDAV folder
- Through Windows 2000: My Network Places
- Through Internet Explorer 5: Will open the site showing files instead of rendering
the pages. You can then manipulate the files just like using Windows Explorer.
- Through Office 2000: Theoretically, you can use Office 2000 applications to
read and write to WebDAV locations. In practice, however, this has not worked
reliably for me.
Security Issues
In my eyes, WebDAV creates a host of security concerns. Since it can’t be turned
off and since it permits manipulation of files on the server then it’s just a
matter of time till this is exploited in a fairly major way. Currently, the only
way to limit use of WebDAV is via NTFS permissions. There is also the ‘Script
Source Access’ checkbox, but that is not configurable on a per user basis. Consequently,
it’s either on for everyone or off for everyone.
Due to the design, if you want one person to be able to access a site with WebDAV,
the web or virtual directory permissions must be set to Read and Write. If you
wish them to be able to list the contents, then Directory Browsing must also be
enabled. Consequently, web access controls in the MMC become more liberal than
you would generally assign using, for example, Front Page. With Front Page, you
can set your web to Read in the MMC, and still write to the site using the Front
Page client. This is managed via a combination of proprietary communications and
NTFS permissions. Since WebDAV is actually HTTP, you can’t write to the site with
WebDAV unless Write is enabled in the MMC. So, with a write enabled site, control
then falls to the file system to shape access control. The good news is that NTFS
is quite capable in this regard. The bad news is that you are relying entirely
on NTFS.
WebDAV permits clients to put locks on files, perform recursive operations on
large sets of files, as well as upload large files. All of these and more are
possible exploits.
Authentication to WebDAV folders and webs is done through the standard W2K processes.
Digest authentication is specifically supported.
Summary
WebDAV is sort of a ‘hidden’ benefit of IIS 5.0/W2K. While it provides some usefulness,
it creates some problems. I am concerned that this functionality is not optional
and can’t be disabled via the user interface. Nevertheless, it is handy when I
can just double-click on a web folder and it opens up in a file system context.
However, it is almost as inconvenient when I type in the URL in IE 5.0 and it
opens to show files and folders instead of the rendered page. It is then necessary
to double-click the default page to render the page.
So, it’s a mixed bag. I’m predicting some major exploits of this capability in
the near future (just like when I saw WSH, I had a this sinking feeling that Melissa
was not far away). Nevertheless, in some development environments, the usefulness
of the drag and drop manipulation of files on the web server may be worth the
additional risks and administration.
Articles of Interest
First appeared at IISAnswers.com
About the Author:
Brett Hill, Internet Information Services MVP, is one of the nation's leading
trainers and authors on IIS. He has assisted Microsoft on the development of Internet
Information Services 5.0's course 2295a and is the lead Subject Matter Expert
on Microsoft's Internet Information Services 6.0 courseware. Brett is a contributing
editor to Windows & .Net Magazine, the author of Microsoft TechNet's monthly IIS
Insider column, and writes the IISAnswers newsletter (www.iisanswers.com).
His courses on advanced IIS 5 and IIS 6 administration and security (www.iistraining.com),
has been attended by many Fortune 500 companies and US Government agencies.
Read this newsletter at: http://www.sysadminnews.com/2003/0814.html |
|
|
|
