{
	"id": "837db635-69ed-41d7-9e5a-d67065454d52",
	"created_at": "2026-04-06T01:31:04.642043Z",
	"updated_at": "2026-04-10T03:20:38.685206Z",
	"deleted_at": null,
	"sha1_hash": "d1387d23558f2537c77b32987feee0551d4c75d2",
	"title": "Managing WebDAV Security (IIS 6.0)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47272,
	"plain_text": "Managing WebDAV Security (IIS 6.0)\r\nArchived: 2026-04-06 01:03:04 UTC\r\nThe Wayback Machine -\r\nhttps://web.archive.org/web/20100210125749/http://www.microsoft.com:80/technet/prodtechnol/WindowsServer2003/Library/IIS/4bed\r\n0cba-424c-8b9b-a5832ad8e208.mspx\r\nIIS 6.0 Documentation \u003e IIS 6.0 Operations Guide \u003e Site Setup \u003e Web Authoring with WebDAV\r\nThis topic provides a brief overview of recommended security practices for remote publishing. It briefly describes how to\r\nprotect your server and content by authenticating client connections to your server and by controlling access to content on\r\nyour server. Included in this topic are descriptions of the following:\r\n• Authenticating Clients\r\n• Controlling Access\r\n  Note\r\nFor security reasons and to to enable DAV custom properties, ensure that your publishing directory resides on an NTFS\r\npartition. To learn more about NTFS partitions, see Windows Server 2003 family Help.\r\nAuthenticating Clients\r\nThe best way to configure a WebDAV directory depends on the kind of publishing that you want to do. When you create a\r\nvirtual directory through IIS, Anonymous and Integrated Windows authentication are both turned on. Although this default\r\nconfiguration works well for clients connecting to your server, reading content on a Web page, and running scripts, it does\r\nnot work well with clients publishing to a directory and manipulating files in that directory.\r\nIIS offers the following authentication methods:\r\n•\r\nKerberos is the primary security protocol for authentication within a domain. Kerberos is the best option for\r\nWebDAV client authentication and file security.\r\n•\r\nAnonymous authentication grants anyone access to the directory. You should turn off anonymous access to your\r\nWebDAV directory. Without controlling who has access, your directory could be attacked by unknown clients.\r\n•\r\nBasic authentication sends passwords over the connection in clear text. Clear text passwords can be intercepted and\r\nread. Turn on Basic authentication only if you encrypt passwords by using Secure Sockets Layer.\r\n•\r\nDigest authentication is a good choice for publishing information on a server that is accessed over the Internet and\r\nthrough firewalls because the passwords are sent over the network as an MD5 hash. However, passwords are stored\r\nas plain text in Active Directory.\r\nhttps://web.archive.org/web/20100210125749/https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx\r\nPage 1 of 3\n\n•\r\nAdvanced Digest authentication is an improvement over Digest authentication because in addition to sending\r\npasswords over the network as an MD5 hash, the passwords are also stored in Active Directory as an MD5 hash\r\nrather than plaintext. This makes Advanced Digest the best choice for publishing information on a server that is\r\naccessed over the Internet and through firewalls.\r\n• Integrated Windows authentication works best when you are setting up a WebDAV directory on an intranet.\r\n• .NET Passport authentication uses cookies to validate user credentials.\r\nControlling Access\r\nThis section describes how you can control access to your WebDAV directory by coordinating IIS and Windows Server 2003\r\npermissions, and how you can protect your script files.\r\nConfiguring Web Permissions\r\nThe following are various ways to configure Web permissions based on the purpose of the material you are publishing:\r\n•\r\nRead, Write, and directory browsing enabled: Turning on these permissions allows clients to see a list of resources,\r\nmodify them (except for those resources without Write permission), publish their own resources, and manipulate\r\nfiles.\r\n•\r\nWrite enabled; and Read and directory browsing disabled: If you want clients to publish private information on the\r\ndirectory, but do not want others to see what has been published, set Write permission and do not set Read or\r\ndirectory browsing permission. This configuration works well if clients are submitting ballots or performance\r\nreviews.\r\n•\r\nRead and Write enabled; and directory browsing disabled: Set this configuration if you want to rely on obscuring\r\nfile names as a security method. However, be aware that security by obscurity is a low-level security precaution\r\nbecause an attacker could guess file names by trial and error.\r\n• Index this resource enabled: Be sure to enable Indexing Service if you plan to let clients search directory resources.\r\nControlling Access with DACLs\r\nWebDAV takes advantage of the security features offered by the platform and the Web server, including permissions control\r\nand discretionary access control lists (DACLs) in the NTFS file system. When setting up a WebDAV publishing directory on\r\nan NTFS file system drive, make sure the Everyone group has Read permission only. Then assign Write permission to\r\nspecific individuals or groups.\r\nProtecting Script Code\r\nIf you have script files in your publishing directory that you do not want to expose to clients, you can deny access to these\r\nfiles by verifying that Script source access permission is not assigned. Executable files are treated as static HTML files\r\nunless Scripts and Executables is enabled for the directory.\r\nhttps://web.archive.org/web/20100210125749/https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx\r\nPage 2 of 3\n\nTo prevent .exe files from being downloaded and viewed as HTML files, but to allow .exe files to run, on the Virtual\r\nDirectory property sheet of the publishing directory, change the Execute Permissions to Scripts and Executables.\r\nThis level of permission makes all executable files subject to the Script source access setting. When Script source access is\r\nselected, clients with Read permission can see all executables; and clients with Write permission can edit them, as well as\r\nrun them.\r\nWith the following permissions, clients can write to an executable file that does not appear in the Application Mapping:\r\n• Write permission is assigned.\r\n• Execute Permissions is set to Scripts only.\r\nWith the following permissions, clients can write to any executable file, regardless of whether it appears in the Application\r\nMapping:\r\n• Script source access is assigned.\r\n• Execute Permissions is set to Scripts and Executables.\r\nRelated Information\r\nSource: https://web.archive.org/web/20100210125749/https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-42\r\n4c-8b9b-a5832ad8e208.mspx\r\nhttps://web.archive.org/web/20100210125749/https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20100210125749/https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx"
	],
	"report_names": [
		"4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775439064,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1387d23558f2537c77b32987feee0551d4c75d2.pdf",
		"text": "https://archive.orkl.eu/d1387d23558f2537c77b32987feee0551d4c75d2.txt",
		"img": "https://archive.orkl.eu/d1387d23558f2537c77b32987feee0551d4c75d2.jpg"
	}
}