How to Configure WebDAV Settings Using AppCmd

By Robert McMurray

February 14, 2008

Introduction

Microsoft released a new WebDAV extension module that was completely rewritten for Internet Information Services 7.0 (IIS 7.0) on Windows Server® 2008. This new WebDAV extension module incorporated many new features that enable web authors to publish content better than before, and offers web administrators more security and configuration options. Microsoft has released an update to the WebDAV extension module for Windows Server® 2008 that provides shared and exclusive locks support to prevent lost updates due to overwrites.

This document will walk you through using the new AppCmd.exe utility in IIS 7.0 to configure WebDAV settings from a command-line or batch script.

In This Walkthrough

Prerequisites

The following items are required to complete the procedures in this article:

  • IIS 7.0 must be installed on your server, and the following must be configured:
    • The Default Web Site that is created by the IIS 7.0 installation must still exist.
  • The new WebDAV extension module must be installed. For information regarding the installation of the new WebDAV module, please see the following document:

Note: You need to make sure that you follow the steps in this document using full administrative permissions. This is best accomplished using one of two methods:

  • Log in to your computer using the local "administrator" account.
  • If you are logged in using an account with administrative permissions that is not the local "administrator" account, open IIS Manager and all command prompt sessions using the "Run as Administrator" option.

The above condition is required because the User Account Control (UAC) security component in Windows Server 2008 will prevent administrative access to IIS 7.0’s configuration settings. For more information about UAC, please see the following documentation:

Note: Request Filtering settings may block several file types from WebDAV authoring by default. When you configure WebDAV using the IIS Manager UI, the request filtering settings are automatically updated in order to unblock WebDAV authoring. However, if you choose to configure WebDAV in any manner other than using the IIS Manager UI see the How to Configure WebDAV with Request Filtering walkthrough.

Basic AppCmd Concepts

AppCmd.exe is a new command-line tool for administering IIS 7.0. In many ways, think of it as a replacement for the adsutil.vbs script from previous IIS versions. AppCmd.exe supports a wide range of command switches for various objects, making it easily scriptable in batch files to configure a myriad of IIS settings. (Note: The AppCmd.exe utility is located in the %WinDir%\System32\InetSrv folder.)

The general syntax for AppCmd.exe is:

AppCmd (command) (object-type) <identifier> </parameter1:value1 ...>

AppCmd.exe also provides extensive command-line help support, which can be accessed using one of the following methods:

AppCmd /?
AppCmd (object) /?
AppCmd (command) (object) /?

The list of commands depends on the object, and the following objects are supported:

Object Description
SITE Administration of virtual sites
APP Administration of applications
VDIR Administration of virtual directories
APPPOOL Administration of application pools
CONFIG Administration of general configuration sections
WP Administration of worker processes
REQUEST Administration of HTTP requests
MODULE Administration of server modules
BACKUP Administration of server configuration backups
TRACE Working with failed request trace logs

For example, you can list which web sites are configured on your server using the SITE object with the following syntax:

AppCmd list site

Likewise, you can list which application pools are configured on your server using the APPPOOL object with following syntax:

AppCmd list apppool

AppCmd can also be used to set the values for various configuration settings using the SITE object, and you can use the following command to list the available settings for your Default Web Site using the following syntax:

AppCmd set site “Default Web Site” /?

To list the configuration settings for a specific path, you use the CONFIG object like the following example:

AppCmd list config "Default Web Site/" /section:system.webServer/security/authentication/windowsAuthentication

The CONFIG object can also be used to set configuration settings, as shown in the following example:

AppCmd set config "Default Web Site/" /section:system.webServer/security/authentication/windowsAuthentication /enabled:true

You can also control where AppCmd will write the settings that you specify by using the “/commit:” command-line parameter. For example, later in this document we will take a look at the following command that enables WebDAV on your Default Web Site:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /enabled:true /commit:apphost

Note: This command enables WebDAV for the Default Web Site and writes that setting to the ApplicationHost.config file.

AppCmd is an extremely powerful utility, and realistically speaking there’s too much to cover in such a short space, so for more information about becoming familiar with AppCmd.exe, please see the following article on the IIS.NET web site:

Thatsaid, we move on to configuring WebDAV on your server.

Getting Started with WebDAV

WebDAV installs an extension to the default schema for IIS settings, which is what makes AppCmd work with WebDAV without any special modifications. The new WebDAV module stores all of its configurable settings in ApplicationHost.config file, and uses the following sections:

  • system.webServer/webdav/authoring
  • system.webServer/webdav/authoringRules

The “authoring” settings are only configurable at the root of a web site, whereas the “authoringRules” settings can be configured per-URL. To see which settings have been configured for each of these sections for a given path, you can use AppCmd as seen in the following examples:

AppCmd list config "Default Web Site/" /section:system.webServer/webdav/authoring
AppCmd list config "Default Web Site/" /section:system.webServer/webdav/authoringRules

Enabling or Disabling WebDAV for a Web Site

Understandably enough, the most basic and useful command for WebDAV is enabling or disabling WebDAV for a site. The syntax for enabling WebDAV a web site follows the following example:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /enabled:true /commit:apphost

In this example, we set the “enabled” attribute to “true” for the WebDAV “authoring” section on the Default Web Site and force that change to be written to the ApplicationHost.config file. Conversely, you can disable WebDAV by setting that same value to “false” as shown in the following example:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /enabled:false /commit:apphost

Requiring SSL for WebDAV Authoring for a Web Site

In order to protect the information that you may be transferring, WebDAV can be configured to require SSL for all operations. This is accomplished by setting the “requireSsl “ attribute to “true” for the WebDAV “authoring” section using syntax like the following:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /requireSsl:true /commit:apphost

This functionality can be disabled by setting the “requireSsl” attribute to “false” using syntax like the following:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /requireSsl:false /commit:apphost

Allowing Access to Hidden Files for a Web Site

For security reasons, you can suppress whether files that are marked as hidden on the server will be returned in file listings. To do so, set the “allowHiddenFiles” attribute to “true” on the “fileSystem” element in the “authoring” section using syntax like the following:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /fileSystem.allowHiddenFiles:true /commit:apphost

To disable listing hidden files, set the “allowHiddenFiles” attribute to “false” using syntax like the following:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /fileSystem.allowHiddenFiles:false /commit:apphost

Configuring WebDAV Compatibility Settings for a Web Site

In order to be compatible with previous versions of WebDAV for IIS, some optional features are exposed through compatibility settings. Currently the list of options is as follows:

Compatibility Setting Description
None Specifies that no compatibility features should be supported.
MsAuthorVia Specifies that the “MS-Author-Via” header should be returned. (Note: Several of Microsoft’s web authoring tools use this header.)
MultiProp Specifies that multiple <prop> statements should be allowed in client requests.
CompactXml Defines whether the XML returned by the WebDAV module will terminate each line with a CRLF sequence.
IsHidden Specifies that the IsHidden pseudo-live property should be supported.
IsCollection Specifies that the IsCollection pseudo-live property should be supported.

To set any of these features, you will need to set the value of “compatFlags” attribute on the “authoring” section using syntax like the following:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoring /compatFlags:"MsAuthorVia,CompactXml" /commit:apphost

Notice that the compatibility settings are specified as a set of comma-separated flags.

Working with WebDAV Authoring Rules

The new WebDAV module makes use of authoring rules, which allow you to configure the way that WebDAV responds to authoring request from clients. For example, your web site may have anonymous access enabled for Internet users, but your web authoring access should be restricted to a certain set of users. Using authoring rules, you can configure which users have access to the various parts of your web site’s content.

Configuring Authoring Rule Defaults

Specifying whether non-MIME-mapped files are allowed

For security reasons, IIS does not allow access to files that are not listed in the MIME map by default. With that in mind, web authors may need to work with certain file types on a server that are not listed in the MIME map. (For example: include files, data files, etc.) To enable access to non-MIME-mapped files, you need to set the “allowNonMimeMapFiles” attribute to “true” on the “authoringRules” section. The following syntax example illustrates how this is accomplished:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /allowNonMimeMapFiles:true /commit:apphost

This functionality can be disabled by setting the “allowNonMimeMapFiles” attribute to “false” using syntax like the following:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /allowNonMimeMapFiles:false /commit:apphost

Specifying the default MIME type

When working with file types that are not in the MIME list, IIS still needs to return a MIME type to clients. By default this is set to “application/octet-stream”, which means that the file should be treated as a raw binary file regardless of the content type. To set the default MIME type for non-MIME-mapped files to a text file type you could use the following syntax:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /defaultMimeType:"text/plain" /commit:apphost

To reset the default MIME type, use the following syntax:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /defaultMimeType:"application/octet-stream" /commit:apphost

Managing Authoring Rules

Authoring rules are kept in a collection, and each rule can contain the following attributes:

Attribute Description
path Specifies the content type for the rule. (See below)
users Specifies the user name for the rule. (See below)
roles Specifies a group/role for the rule.
access Specifies the access type for the rule. (See below)

Notes:

  • The “path” attribute is used to specify the content type for the authoring rule. This can be for specific content types like “*.aspx”, “*.htm”, etc., or you can use “*” to indicate that the authoring rule is for all content.
  • The “roles” and “users” attributes should be declared exclusive to each other. That is to say, an authoring rule should be for either “users” or “roles”, but not both.
  • The following special values for the “users” attribute are defined:
    Value Description
    * All users
    ? Anonymous users
    Note: Anonymous users cannot read/write content; this setting is used to restrict the file types for anonymous property queries.
  • The following values are defined for the access types:
    Value Description
    None Specifies that access is not allowed for the content type
    Read Specifies read access for the content type
    Write Specifies write access for the content type
    Source Specifies access to the source code for the content type

Adding an authoring rule

To add an authoring rule for a path, you can use syntax like the following examples:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /+[users='administrator',path='*',access='Read,Write,Source'] /commit:apphost
AppCmd set config "Default Web Site/mypath" /section:system.webServer/webdav/authoringRules /+[roles='Authors',path='*.aspx',access='Read,Write,Source'] /commit:apphost

Editing an authoring rule

Once an authoring rule has been added, you can edit that rule using syntax like the following:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /[users='administrator',path='*'].access:"None" /commit:apphost

Removing an authoring rule

You can remove an authoring rule by simply specifying the user or role name using syntax like the following:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /-[users='administrator'] /commit:apphost

Note: If more than one authoring rule exists for that user, the above command will only remove the first authoring rule in the list and you would need to repeat the command to remove subsequent rules for that user.

Or you can specify both the user or role name and the content type like the following example:

AppCmd set config "Default Web Site/" /section:system.webServer/webdav/authoringRules /-[users='administrator',path='*'] /commit:apphost

Summary

This document has shown you how to do the following:

More Information

For additional information about using WebDAV, please see the following articles:

Note: As mentioned earlier, your default request filtering settings may block several file types from WebDAV authoring. If you do not modify your request filtering settings, you may see various errors when you try to publish files that are blocked. For example, if you attempt to upload or download a web.config file you will see errors in your WebDAV client. For more information about configuring your request filtering settings, see the How to Configure WebDAV with Request Filtering walkthrough.



Discuss in IIS Forums