index.htmWebDAV Test Page

FTP

File Transfer Protocol

WebDAV

Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web.

Kerberos

Kerberos is the primary security protocol for authentication within a domain. Kerberos is the best option for WebDAV client authentication and file security.

Configuring Web Permissions

•	Read, Write, and directory browsing enabled: Turning on these permissions allows clients to see a list of resources, modify them (except for those resources without Write permission), publish their own resources, and manipulate files.
•	Write enabled; and Read and directory browsing disabled: If you want clients to publish private information on the directory, but do not want others to see what has been published, set Write permission and do not set Read or directory browsing permission. This configuration works well if clients are submitting ballots or performance reviews.
•	Read and Write enabled; and directory browsing disabled: Set this configuration if you want to rely on obscuring file names as a security method. However, be aware that security by obscurity is a low-level security precaution because an attacker could guess file names by trial and error.
•	Index this resource enabled: Be sure to enable Indexing Service if you plan to let clients search directory resources.

Controlling Access with DACLs

WebDAV takes advantage of the security features offered by the platform and the Web server, including permissions control and discretionary access control lists (DACLs) in the NTFS file system. When setting up a WebDAV publishing directory on an NTFS file system drive, make sure the Everyone group has Read permission only. Then assign Write permission to specific individuals or groups.

Protecting Script Code

If you have script files in your publishing directory that you do not want to expose to clients, you can deny access to these files by verifying that Script source access permission is not assigned. Executable files are treated as static HTML files unless Scripts and Executables is enabled for the directory.

To prevent .exe files from being downloaded and viewed as HTML files, but to allow .exe files to run, on the Virtual Directory property sheet of the publishing directory, change the Execute Permissions to Scripts and Executables.

This level of permission makes all executable files subject to the Script source access setting. When Script source access is selected, clients with Read permission can see all executables; and clients with Write permission can edit them, as well as run them.

With the following permissions, clients can write to an executable file that does not appear in the Application Mapping:

•	Write permission is assigned.
•	Execute Permissions is set to Scripts only.

With the following permissions, clients can write to any executable file, regardless of whether it appears in the Application Mapping:

•	Script source access is assigned.
•	Execute Permissions is set to Scripts and Executables.