Introduction
In this article we explain how you can implement some security measurements to secure the WebDAV connection from the internet.
Step 1. Enable 'IP Address and Domain Restrictions'
IIS has a feature called 'IP Address and Domain Restrictions', which you can use to secure the connection.
You can enable this by installing it on your WebDAV server via the Server Manager. Go to:
Add Roles and Features -> Server Roles -> Web Server (IIS) -> Web Server -> Security -> enable IP and Domain Restrictions.
Step 2. Configure IP Addresses and the Rules
After installing the feature 'IP and Domain Restrictions', you can configure the IP Addresses and the Rules.
Open IIS on your WebDAV server.
Navigate to the website that hosts the WebDAV.
Double-click IP Addresses and Domain Restrictions.
From the Actions menu at the right side, click Edit Feature Settings.
A dialogue window will open. Make sure it looks as depicted below. Click OK.
These settings abort a connection when an unspecified client tries to connect to the WebDAV web URL.
From the Actions menu at the right side, click Add Allow Entry…
A dialog window will open. Specify the IP address or IP address range that is allowed access.
Click OK when done.
You need to create a separate 'Allow Entry' for each IP address or IP address range. Which IP address(es) and/or range you need to allow depends on your network setup. E.g. the Workspace 365 webserver, client IP-addresses or router/gateway IP. If Workspace is hosted by us, whitelist our IP range. Refer to the IIS logs if necessary to see from which IP address connections are initiated.
Verify that you are able to access the WebDAV file shares from the clients as defined in IIS.
Step 3. Prevent File Execution
IIS uses 'Handler Mappings' to prevent or allow execution of files.
The Workspace implementation of WebDAV does not require File Execution, therefore we advise to disable File Execution.
There are three different mappings:
Read – enables or disables handlers that require read access.
Scripts – enables or disables handlers that require script rights.
Execute – enables or disables handlers that require execute rights.
Select the WebDAV site in IIS.
Double-click Handler Mappings.
From the Actions menu at the right side, click Edit Feature Permissions…
A dialog window will open. Uncheck the Script checkbox.
Click OK.
Step 4. Request filtering
WebDAV uses two special HTTP methods for administrative tasks:
MKCOL (create a new collection, like a directory).
MOVE (move files from one URL to another, or rename files).
These are not used by Workspace 365. Workspace created its own implementation to perform these actions and to make it more secure. Therefore, we describe how to deny MKCOL and MOVE actions below.
Ensure that Request filtering is installed from the IIS features.
Select the WebDAV site in IIS.
Double-click Request Filtering.
Click the HTTP Verbs tab.
From the Actions menu at the right side, click Deny Verb…
A dialog window will open. Enter MOVE and click OK.
Repeat step 4 and 5, but this time, enter MKCOL and click OK.
Step 5. Block file extensions
In addition to the above, it’s possible block specific file extensions via the WebDAV URL. We advise to block the following file extensions:
.php
.cs
.cc
.cpp
.asp
.exe
.aspx
To block a file extension, follow the steps below.
In the Request Filtering section, click the tab File Name Extensions.
From the Actions menu at the right side, click Deny File Name Extensions…
A dialog window will open. Enter the extension name you want to block and click OK. Repeat this step for each extension you want to block.
Click the tab Hidden Segments.
Verify the web.config is added. If not, click Add Hidden Segment in the Actions menu on the right side to add it.