To secure my company's Windows 2000 IIS 5.0 servers, I want to disable WWW Distributed Authoring and Versioning (WebDAV). I know that I can disable WebDAV by using the IIS Lockdown Tool to remove NTFS permissions on httpext.dll. However, changing the ACLs means that the System account won't update httpext.dll if I install a hotfix or service pack because the account won't have access to the file. Thus, before and after each hotfix or service pack installation, I would need to change the ACLs on many IIS servers. How can I enable and disable WebDAV without changing the ACLs on system files?
Regular readers know that WebDAV is one of my hot buttons. But, as much as I'd like to, I won't discuss using WebDAV to access files and folders on IIS here. If you're unfamiliar with WebDAV, see "IIS Informant: Using Web Folders with WebDAV," April 2002, InstantDoc ID 24264.
When Microsoft first released Win2K, the only server-side method for disabling WebDAV was to change the httpext.dll file's ACLs. As you pointed out, this solution has serious disadvantages. However, recent updates to the IIS Lockdown Tool and to Win2K provide two new ways to disable WebDAV without changing the ACLs of system files.
Aside from using an application-aware firewall that lets you specify what verbs to allow per URL, the only way to control WebDAV on a site-by-site basis is to use UrlScan. UrlScan, which is part of the new IIS Lockdown Tool 2.1 (recently updated to 2.5), has the ability to reject WebDAV verbs. Although Microsoft intended verb rejection on a server-by-server basis, you can use UrlScan on a site-by-site basis. Each site needs a unique configuration file. Microsoft doesn't recommend this practice, but it's possible. You can download UrlScan from http://www.microsoft.com/downloads/release.asp?releaseid=33961.
Win2K Security Rollup Package 1 (SRP1) contains registry and file updates that let you disable WebDAV on a server. Using regedit, you create an entry named DisableWebDAV under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters subkey. You assign this entry a value type of DWORD and a value of 1. For more information about how to add this registry entry, see the Microsoft article "Locking Down WebDAV Through ACL Still Allows PUT and DELETE Requests" (http://support.microsoft.com/directory/article.asp?id=kb;en-us;q307934). This registry solution is valid only on Win2K OSs on which you've installed Win2K SRP1 or Win2K Service Pack 3 (SP3). You can download Win2K SRP1 from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/w2ksrp1.asp.
