Managing WebDAV Security (IIS 6.0)
This topic provides a brief overview of recommended security practices for remote publishing. It briefly describes how to protect your server and content by authenticating client connections to your server and by controlling access to content on your server. Included in this topic are descriptions of the following:
For security reasons and to to enable DAV custom properties, ensure that your publishing directory resides on an NTFS partition. To learn more about NTFS partitions, see Windows Server 2003 family Help.
The best way to configure a WebDAV directory depends on the kind of publishing that you want to do. When you create a virtual directory through IIS, Anonymous and Integrated Windows authentication are both turned on. Although this default configuration works well for clients connecting to your server, reading content on a Web page, and running scripts, it does not work well with clients publishing to a directory and manipulating files in that directory.
IIS offers the following authentication methods:
This section describes how you can control access to your WebDAV directory by coordinating IIS and Windows Server 2003 permissions, and how you can protect your script files.
Configuring Web Permissions
The following are various ways to configure Web permissions based on the purpose of the material you are publishing:
Controlling Access with DACLs
WebDAV takes advantage of the security features offered by the platform and the Web server, including permissions control and discretionary access control lists (DACLs) in the NTFS file system. When setting up a WebDAV publishing directory on an NTFS file system drive, make sure the Everyone group has Read permission only. Then assign Write permission to specific individuals or groups.
Protecting Script Code
If you have script files in your publishing directory that you do not want to expose to clients, you can deny access to these files by verifying that Script source access permission is not assigned. Executable files are treated as static HTML files unless Scripts and Executables is enabled for the directory.
To prevent .exe files from being downloaded and viewed as HTML files, but to allow .exe files to run, on the Virtual Directory property sheet of the publishing directory, change the Execute Permissions to Scripts and Executables.
This level of permission makes all executable files subject to the Script source access setting. When Script source access is selected, clients with Read permission can see all executables; and clients with Write permission can edit them, as well as run them.
With the following permissions, clients can write to an executable file that does not appear in the Application Mapping:
With the following permissions, clients can write to any executable file, regardless of whether it appears in the Application Mapping: