1

I've got a bit of a challenge I'm hoping someone has some ideas on. I'm in the process of deploying a web app to a shared environment with a host running IIS7.5. A security scan has shown that WebDAV is enabled and a stop has been put on the site going live until it's turned off.

Since this finding, the host has been able to first manually disable WebDAV for the site directly in IIS (not a setting we have exposed in the IIS manager) and then provide a switch in their online control panel to turn it off. I can successfully add a network place and remotely connect to the file system while it's on but cannot do so once I turn it off so functionally, the setting appears to work.

Unfortunately the site is still returning an accept PROPFIND header and an Ms-Author-Via: DAV header and this seems to be the basis on which the security scanner makes its recommendations.

So the question is this: is it expected behaviour that when WebDAV is disabled for one site but enabled for others on the same machine, the response headers for that site should reflect what I'm seeing above? And is this by design or is there something else that should be done configuration wise at the individual site level to avoid this?

Troy Hunt
  • 193
  • 2
  • 12

2 Answers2

1

Hi I hope this is of some help to you:

http://unixwiz.net/techtips/ms971492-webdav-vuln.html

While that is for iis 5/6 it has some good info on security.

Try some of the opposite steps here:

http://learn.iis.net/page.aspx/350/installing-and-configuring-webdav-on-iis-7/

While this isn't a direct answer to your question I hope it is some help to you in finding one.

pablo
  • 3,040
  • 1
  • 19
  • 23
1

I can't contribute with a fix for IIS, but I can answer your question about whether this is normal behaviour.

The MS-Author-Via: DAV header should be of no consequence. It's worth noting that Apache includes this header when the DAV module is simply loaded, regardless of whether the URL being requested has DAV enabled. So the security scanner shouldn't be making recommendations based solely on that header.

Accepting a PROPFIND request for the URL is problematic however. The behaviour of Apache is to refuse PROPFIND requests for URLs which don't have DAV enabled. E.g.:

telnet www.somewhere.com 80
PROPFIND /

server returns:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method PROPFIND is not allowed for the URL /.</p>
<hr>
<address>Apache/2.2.24 (Unix) DAV/2 Server at www.somewhere.com Port 80</address>
</body></html>
bleater
  • 121
  • 3