Using Web DAV with IIS 5.0

    August 14, 2003

The basic purpose of WebDAV is to provide file I/O through HTTP. This permits your to load, edit, delete, create subdirectories, and basically manage files located on the Web Server from the client desktop. Of course, MS has several products that already permit remote manipulation of remote websites.

FTP permits you to upload, download, navigate and manipulate files, but has limited security features. You have to install the FTP server as well which consumes resources and requires administration.

Posting Acceptor by MS has been around a while and does permit you to upload files to website, but requires greater permissions to use than you may be comfortable with while providing limited flexibility.

Front Page and Visual Interdev certainly permits the client to post and manipulate files on an IIS Frontpage web but also creates administrative headaches and is proprietary to MS.

Enabling WebDAV

WebDAV is aimed at making it easy. You can use it without installing any additional server services or client services. Recently, I had an email exchange with an IIS administrator who was fuming about his experience trying to find a way to turn on WebDav. There’s the first surprise. It’s already on.

Web Dav is actually a custom extension by MS of HTTP 1.1. These http extensions are built into IIS 5.0 and IE 5.0. In other words, once you have installed IIS 5, when you access it from IE 5 or from My Network Places’, you are Web Dav enabled. No setups switches to turn on. The downside is that you can’t turn it OFF either. Gulp.

FYI, WebDAV is also supported by Exchange 2000.

WebDAV Standards and Specifications

Since WebDAV is a standard being worked on by the W3C, it’s not an MS invention. There are WebDAV clients and utilities out there that work with WebDAV servers other than MS products. It’s defined in RFC-2518. Of course, MS being MS, they added their not insignificant bit of functionality which we’ll get into later.

The basic WebDAV RFC extends HTTP by adding some additional verbs.

  • PROPFIND – searches for properties for an object
  • PROPGET – retrieve a property from an object
  • PROPPATCH – update a property of an object
  • MKCOL – make a subdirectory
  • DELCOL – delete a subdirectory
  • LOCK – lock a file or object
  • UNLOCK – release the lock

Microsoft has additional functionality via the TRANSLATE header. The TRANSLATE header is designed to permit you to download script source to via your browser rather than have it rendered. This capability is already present in systems for use with FrontPage and Visual InterDev. The purpose of the new “Script Source Access” checkbox in IIS 5 websites and virtual directory properties is to turn on and off the use of the TRANSLATE header. However, even if off, WebDAV is still enabled.

In addition to these verbs, six new HTTP errors were added:

  • 102 Processing – WebDAV is running please wait
  • 207 Multi-Status – A general status report of operations
  • 422 Unprocessable Entity – essentially means, file not found
  • 423 Locked – The file you are accessing is currently locked
  • 424 Method Failure – the method failed to complete
  • 425 Insufficient Space – out of disk space

IIS 5.0 checks every communication for WebDAV content and routes appropriate packets to httpext.dll. Httpext.dll is an ISAPI extension, but unlike ASP.dll, it is not to be found in the application mappings. So what’s the deal? Since WebDAV is not actived by a file extension and is contained in the HTTP protocol, it cannot be mapped in the same way. Like I said before, you can’t turn it off.

UPDATE: As of SP3 (or SR1) there is a new registry property that disables WebDAV for the entire server. See Q241520.

WebDAV Properties

WebDAV permits the use of non-operating associated properties to be associated with files. Since they are not part of the file system, these properties are stored in the metabase. They can be extended and searched using custom tools. For example, if a file is locked via WebDAV property keys, that WebDAV properties for that file are updated. For more information about this and other related WebDAV capabilites, see the IIS 5 online documentation.

Connecting to WebDAV folder

  • Through Windows 2000: My Network Places
  • Through Internet Explorer 5: Will open the site showing files instead of rendering the pages. You can then manipulate the files just like using Windows Explorer.
  • Through Office 2000: Theoretically, you can use Office 2000 applications to read and write to WebDAV locations. In practice, however, this has not worked reliably for me.

Security Issues

In my eyes, WebDAV creates a host of security concerns. Since it can’t be turned off and since it permits manipulation of files on the server then it’s just a matter of time till this is exploited in a fairly major way. Currently, the only way to limit use of WebDAV is via NTFS permissions. There is also the Script Source Access’ checkbox, but that is not configurable on a per user basis. Consequently, it’s either on for everyone or off for everyone.

Due to the design, if you want one person to be able to access a site with WebDAV, the web or virtual directory permissions must be set to Read and Write. If you wish them to be able to list the contents, then Directory Browsing must also be enabled. Consequently, web access controls in the MMC become more liberal than you would generally assign using, for example, Front Page. With Front Page, you can set your web to Read in the MMC, and still write to the site using the Front Page client. This is managed via a combination of proprietary communications and NTFS permissions. Since WebDAV is actually HTTP, you can’t write to the site with WebDAV unless Write is enabled in the MMC. So, with a write enabled site, control then falls to the file system to shape access control. The good news is that NTFS is quite capable in this regard. The bad news is that you are relying entirely on NTFS.

WebDAV permits clients to put locks on files, perform recursive operations on large sets of files, as well as upload large files. All of these and more are possible exploits.

Authentication to WebDAV folders and webs is done through the standard W2K processes. Digest authentication is specifically supported.


WebDAV is sort of a hidden’ benefit of IIS 5.0/W2K. While it provides some usefulness, it creates some problems. I am concerned that this functionality is not optional and can’t be disabled via the user interface. Nevertheless, it is handy when I can just double-click on a web folder and it opens up in a file system context. However, it is almost as inconvenient when I type in the URL in IE 5.0 and it opens to show files and folders instead of the rendered page. It is then necessary to double-click the default page to render the page.

So, it’s a mixed bag. I’m predicting some major exploits of this capability in the near future (just like when I saw WSH, I had a this sinking feeling that Melissa was not far away). Nevertheless, in some development environments, the usefulness of the drag and drop manipulation of files on the web server may be worth the additional risks and administration.

Articles of Interest

First appeared at

Brett Hill, Internet Information Services MVP, is one of the nation’s
leading trainers and authors on IIS. He has assisted Microsoft on the
development of Internet Information Services 5.0’s course 2295a and is the
lead Subject Matter Expert on Microsoft’s Internet Information Services 6.0
courseware. Brett is a contributing editor to Windows & .Net Magazine, the
author of Microsoft TechNet’s monthly IIS Insider column, and writes the
IISAnswers newsletter ( His courses on advanced IIS 5
and IIS 6 administration and security (, has been
attended by many Fortune 500 companies and US Government agencies.