Securing your WebDAV SSL file server in IIS
Table of Contents
- Securing the WebDAV via IP and Domain filtering
- Prevent File Execution
- Request filtering
To secure the WebDAV connection from the internet you can implement some security measurements to secure the WebDAV.
Securing the WebDAV via IP and Domain filtering
IIS has a module for this called “IP Address and Domain Restrictions” you can enable this IIS feature via the Server manager:
Add Roles and Features -> Server Roles -> Web server (IIS) -> Web Server -> Security and enable the “IIS Address and Domain Restrictions”.
When this feature is enabled you can configure the IP Addresses and the Rules.
- On the IIS website, which hosts the WebDAV, click “IP Addresses and Domain Restrictions”.
- When clicked, now click “Edit Feature Settings…” in the Actions menu on the right side.
- In this dialog set the following settings and click “OK”.
NOTE: These settings abort a connection when an unspecified client tries to connect to the WebDAV web URL.
- When this is configured, you can now click the “Add Allow Entry…” in the Action pane.
Specify the IP Addresses or IP Addresses range which are allowed
- E.g. the Workspace 365 Webserver + The IP Address of the Client Workspaces.
- When done, click “OK”.
Your WebDAV URL is now secured, and only accessible from the Workspace 365 Webserver and only accessible from the Client’s PC’s.
Prevent File Execution
IIS uses Handler Mappings to prevent or allow execution of files. The Workspace implementation with WebDAV does not require File Execution, so we advise to disable this.
To do this, you’ll need to modify the following settings on the IIS WebDAV Website.
- Select the WebDAV website, select the “Handler Mappings”.
- When clicked, in the right Actions pane click “Edit Feature Permission”.
- In the dialog uncheck the “Script” checkbox.
- Click “OK”, now the folders in the WebDAV website are secured against File Execution.
WebDAV uses a few special HTTP methods (MKCOL and MOVE). MKCOL is used to create a new collection like a directory. MOVE is used to move a file from one URI to another, or to rename files.
These are not used by the Workspace 365, Workspace created its own implementation to do these actions and make it more secure.
Note: Be sure that the Request filtering method is installed under the IIS feature (Server manager) -> Security -> Request Filtering.
- Select the IIS Website and click on “Request Filtering”.
- When opened, click on the HTTP Verbs section.
- When selected click “Deny Verb…” in the right action pane.
- First add the Verb: “MOVE” and click “OK” after that repeat step 3 and now add the value “MKCOL” and click “OK”.
It is possible to prevent specific file extensions to be blocked via the WebDAV URL. We advise the following setup for the following file extensions.
To block these file extensions please follow these steps:
- In the “Request Filtering” section now click the “File Name Extensions”.
- Click the “Deny File name Extensions” option on the right.
- In this dialog fill in the extension name you want to DENY and click “OK” We suggest to DENY the extensions we provided above.
The last step is to add the web.config to the “Hidden Segments” section.
IMPORTANT: Now when this is completed, please open the ROOT of your website, right click on the IIS Website -> Explore, in here you’ll find the web.config. Please review if the applyToWebDAV=”true” is in there. Else please replace the <fileExtensions> line with <FileExtensions applyToWebDAV=”true”>