How to Configure WebDAV with Request Filtering

By Robert McMurray

February 14, 2008

Introduction

Microsoft released a new WebDAV extension module that was completely rewritten for Internet Information Services 7.0 (IIS 7.0) on Windows Server® 2008. This new WebDAV extension module incorporated many new features that enable web authors to publish content better than before, and offers web administrators more security and configuration options. Microsoft has released an update to the WebDAV extension module for Windows Server® 2008 that provides shared and exclusive locks support to prevent lost updates due to overwrites.

IIS 7.0 provides several great new security features, including the IIS 7.0 new Request Filtering. For IIS users who are familiar with UrlScan from previous versions of IIS, the Request Filtering feature in IIS 7.0 is like having URLScan built-in.

The new WebDAV module and Request Filtering were designed to work together, and this document walks you through configuring WebDAV-related Request Filtering settings together with WebDAV settings in order to set up a secure publishing environment. Note that if you use the IIS Manager UI to configure WebDAV then the request filtering settings are automatically updated and you do not need to follow the steps in this article.

In This Walkthrough

Prerequisites

The following items are required to complete the procedures in this article:

  • IIS 7.0 must be installed on your server, and the following must be configured:
    • The Default Web Site that is created by the IIS 7.0 installation must still exist.
    • The Request Filtering feature must be installed.
  • The new WebDAV extension module must be installed. For information regarding the installation of the new WebDAV module, please see the following document:
  • Knowledge of how to use AppCmd is helpful. For more information about using request filtering, please see the following document:

Note: You need to make sure that you follow the steps in this document using full administrative permissions. This is best accomplished using one of two methods:

  • Log in to your computer using the local "administrator" account.
  • If you are logged in using an account with administrative permissions that is not the local "administrator" account, open IIS Manager and all command prompt sessions using the "Run as Administrator" option.

The above condition is required because the User Account Control (UAC) security component in Windows Server 2008 will prevent administrative access to IIS 7.0’s configuration settings. For more information about UAC, please see the following documentation:

Basic Request Filtering Concepts

Request Filtering in IIS 7.0 consists of filtering requests based on the following parameters:

  • File Extensions
  • Hidden Segments
  • HTTP Verbs
  • Request Limits
  • URL Sequences

All of these request filtering features can impact content that is uploaded or download through WebDAV, but some features can be configured to work in cooperation with WebDAV.

The following list describes which features can be configured to work with WebDAV:

  • The following features always affect WebDAV requests:
    • Request Limits
    • URL Sequences
  • The following features affect WebDAV requests by default, but they can be configured to bypass WebDAV requests:
    • File Extensions
    • Hidden Segments
    • HTTP Verbs

For example, you can configure your server to allow non-WebDAV requests for ".htm" and ".php" files while blocking access to ".mdb" and ".config" files, while still allowing WebDAV requests to access that blocked content.

Note: WebDAV requests require authentication.

You can edit your request filtering settings using one of the following methods:

  • Using the user interface that is provided as part of Administration Pack for IIS 7.0
  • Using AppCmd from a command-line
  • Editing your applicationHost.config file
  • Using Microsoft.Web.Administration from a .NET application or Windows PowerShell

The remaining information in this walkthrough will show you how to use AppCmd from a command-line, while also showing what the resulting configuration settings in your applicationHost.config file might look like.

Note: This document does not cover all of the features that can be configured using request filtering. For information about configuring additional request filtering options, please see the following topic:

Configuring Request Filtering and WebDAV

Filtering File Extensions

Certain file extensions like ".config" and ".asax" are protected by the default request filtering fileExtensions collection. You can add additional entries to the list of file extensions in order to allow or block them for HTTP requests, and you can control whether this list applies to WebDAV requests. In this example you will use AppCmd block ".txt" files from being accessed, even though they might normally be accessible, and you will specify that WebDAV requests will be able to access all blocked file extensions.

  1. Open a command prompt with full administrative privileges and change directory to your InetSrv folder:
    cd "%WinDir%\System32\InetSrv"
  2. Use the following syntax to view the existing request filtering rules:
    AppCmd list config "Default Web Site/" /section:system.webServer/security/requestFiltering 
  3. Block access to ".txt" files by adding a specific file extension to the fileExtensions collection and specifying false for the allowed attribute using the following syntax:
    AppCmd set config "Default Web Site/" /section:system.webServer/security/requestFiltering /+fileExtensions.[fileExtension='.txt',allowed='false'] /commit:apphost
  4. Allow WebDAV to access all blocked file types by setting the applyToWebDAV attribute for the fileExtensions collection to false using the following syntax:
    AppCmd set config "Default Web Site/" /section:system.webServer/security/requestFiltering /fileExtensions.applyToWebDAV:false /commit:apphost

After completing the above steps the resulting code in the fileExtensions section of your applicationHost.config file should resemble the following example:

<requestFiltering>
<fileExtensions applyToWebDAV="false">
<add fileExtension=".txt" allowed="false" />
</fileExtensions>
</requestFiltering>

Notes:

  • You can use the above steps to block access to additional file extensions by adding them to the fileExtensions collection, or you can modify the syntax to allow specific files by specifying true for the allowed attribute.
  • You can block all unknown file extensions by setting the allowUnlisted attribute for the fileExtensions collection to false using the following syntax:
    AppCmd set config "Default Web Site/" /section:system.webServer/security/requestFiltering /fileExtensions.allowUnlisted:false /commit:apphost

    Note: Setting this option requires that you specifically add each file extension before it can be accessed by non-WebDAV requests.
  • You can use the above steps to block access for WebDAV requests by specifying true for the applyToWebDAV attribute.

Filtering Hidden Segments

Certain file segments like "web.config" and "App_code" are hidden by the default request filtering hiddenSegments collection. You can add additional entries to the list of file segments in order to hide them for HTTP requests, and you can control whether this list applies to WebDAV requests. In this example, you will use AppCmd hide the "include" segment from HTTP requests, even though it would normally be visible, and you will specify that WebDAV requests will be able to access all hidden file segments.

  1. Open a command prompt with full administrative privileges and change directory to your InetSrv folder:
    cd "%WinDir%\System32\InetSrv"
  2. Block access to the "include" segment by adding a specific entry to the hiddenSegments collection using the following syntax:
    AppCmd set config "Default Web Site/" /section:system.webServer/security/requestFiltering /+hiddenSegments.[segment='include'] /commit:apphost
  3. Allow WebDAV to access all blocked file types by setting the applyToWebDAV attribute for the hiddenSegments collection to false using the following syntax:
    AppCmd set config "Default Web Site/" /section:system.webServer/security/requestFiltering /hiddenSegments.applyToWebDAV:false /commit:apphost

After completing the above steps the resulting code in the hiddenSegments section of your applicationHost.config file should resemble the following example:

<requestFiltering>
<hiddenSegments applyToWebDAV="false">
<add segment="include" />
</hiddenSegments>
</requestFiltering>

Notes:

  • You can use the above steps to hide additional file segments by adding them to the hiddenSegments collection.
  • You can use the above steps to block access for WebDAV requests by specifying true for the applyToWebDAV attribute.

Filtering HTTP Verbs

The default request filtering verbs collection allows all unlisted HTTP verbs, even though some verbs may not be mapped to specific HTTP handlers. You can specify which HTTP verbs should be allowed or blocked by adding entries to this list, and you can control whether this list applies to WebDAV requests. In this example, you will use AppCmd to block the "DELETE" and "PUT" verb from HTTP requests, and you will specify that WebDAV requests will be able to use these verbs.

  1. Open a command prompt with full administrative privileges and change directory to your InetSrv folder:
    cd "%WinDir%\System32\InetSrv"
  2. Block access to the "DELETE" verb by adding a specific entry to the verbs collection and specifying false for the allowed attribute using the following syntax:
    AppCmd set config "Default Web Site/" /section:system.webServer/security/requestFiltering /+verbs.[verb='DELETE',allowed='false'] /commit:appHost
  3. Block access to the "PUT" verb by adding another specific entry to the verbs collection and specifying false for the allowed attribute using the following syntax:
    AppCmd set config "Default Web Site/" /section:system.webServer/security/requestFiltering /+verbs.[verb='PUT',allowed='false'] /commit:appHost
  4. Allow WebDAV to access all HTTP verbs by setting the applyToWebDAV attribute for the verbs collection to false using the following syntax:
    AppCmd set config "Default Web Site/" /section:system.webServer/security/requestFiltering /verbs.applyToWebDAV:false /commit:appHost

After completing the above steps the resulting code in the verbs section of your applicationHost.config file should resemble the following example:

<requestFiltering>
<verbs applyToWebDAV="false">
<add verb="DELETE" allowed="false" />
<add verb="PUT" allowed="false" />
</verbs>
</requestFiltering>

Notes:

  • You can use the above steps to block additional HTTP verbs by adding them to the verbs collection, or you can modify the syntax to allow specific verbs by specifying true for the allowed attribute.
  • You can block all unknown HTTP verbs by setting the allowUnlisted attribute for the verbs collection to false using the following syntax:
    AppCmd set config "Default Web Site/" /section:system.webServer/security/requestFiltering /verbs.allowUnlisted:false /commit:appHost

    Note: Setting this option requires that you specifically add each HTTP verb before it can be accessed by non-WebDAV requests.
  • You can use the above steps to block access for WebDAV requests by specifying true for the applyToWebDAV attribute.

Summary

This document has shown you the following concepts:

More Information

For additional information about using WebDAV, please see the following articles:



Discuss in IIS Forums