WebDAV Redirector

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2223

    Webmaster
    Keymaster

    Applies To:Windows Server 2003 with SP1
    What does WebDAV Redirector do?
    The WebDAV Redirector (DAVRdr) allows computers running Windows Server 2003 to use WebDAV (Web-based Distributed
    Authoring and Versioning) servers, such as Windows SharePointServices and MSN Communities,as if they werestandard file
    servers. It consists of a kernel component that connects to a Windows NTremotefilesystem stack,and a user-level component
    (Web client service) that translates filesystem requests into WebDAV requests.
    Who does this feature apply to?
    This featureis used by people who access WebDAV servers through theremotefilesystem.WebDAV Redirector is
    implemented in theremotefilesystem stack. Clientadministrators,and users who areconcerned with thesecurity of their
    computer credentials, need to beaware of this changeif they access remotefiles on a WebDAV server using a Universal
    Naming Convention (UNC) path, for example,a filerequest such as \\ServerName\ShareName\File.txt will be processed by
    WebDAV Redirector and will beaffected by this changein functionality.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    Disabling Basic Authentication over a clear channel
    Detailed description
    WebDAV is an extension of HypertextTransfer Protocol (HTTP),and as such includes the use of Basic Authentication
    (BasicAuth). BasicAuth is oneform of user authentication, or means by which a user is identified to theserver.With BasicAuth,
    theclient transmits the user’s credentials (user nameand password) to theserver. If thechannel is unencrypted, such as with
    normal HTTP traffic,any computer on the network can seethe user’s user nameand password and thereforesteal their
    identity.The DAVRdr does not supportencrypted HTTP (HTTPS or SSL),and will transmit the user’s credentials in theclear
    (withoutencryption) if theserver supports basicauthentication. Although a server most likely would not beconfigured to use
    basicauthentication, it would be possibleto set up theserver expressly to obtain users’ credentials.
    Because of this possibility,Windows Server 2003 Service Pack 1 (SP1) includes theability to enable or disablethe use of
    BasicAuth by the DAVRdr. By default, use of BasicAuth is disabled with SP1.When BasicAuth is disabled, theclient will either
    usea differentauthentication method (if theserver supports one) or fail therequest.
    Why is this change important?
    Users can log on to WebDAV servers for remotefileaccess without fear of transmitting their password in theclear.
    What threats does it help mitigate?
    Imaginea corporate user at Contoso Corporation who routinely accesses thefileshare\\Contoso_Server\Sales outsidethe
    corporation on a public network,and uses an application thatattempts to access that shareas part of normal background
    activity.Sincethe user’s portablecomputer is outsidethecorporate network, therequest should fail. However, the DAVRdr will
    transmita request to seeif thereis a DAV server named Contoso_Server,even though theactual server that the portable
    computer is attempting to access is an SMB server.
    An attacker can be operating on that same public network with a computer that spoofs WINS requests, returning a pointer to
    itself in responseto any WINS request.The portablecomputer will then try to access a DAV share on that rogueserver. If the
    rogueserver responds with BasicAuth as theauthentication method,a dialog boxappears thatasks for the user’s credentials.
    The dialog box identifies theserver as Contoso_Server, leading the user to believetherequest is legitimate. If the user enters
    their user nameand password, theclient transmits that information in theclear and theattacker thus gains access to that
    user’s login information.Thereis no indication to the user that thechannel is not secure, that therequest is being handled by
    the DAVRdr, or that the portablecomputer will transmit the user nameand password in theclear. Notethat thecurrent default
    Windows authentication methods never transmita user’s password in theclear.
    What works differently?
    Sincethechangeto default behavior only affects the DAVRdr, the only scenarios that fail to work arethosethat require basic
    authentication,and that usethe DAVRdr. An exampleis using Notepad.exeto access a Web sitethat only allows BasicAuth.This
    scenario will no longer work. Also,even if theserver was configured to only use basicauthentication, other applications such
    as Microsoft Office will continueto work, sincethey usea different DAV client.
    How do I resolve these issues?
    You can enable BasicAuth by adding thefollowing registry key and setting it to a non-zero value:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \WebClient\Parameters\UseBasicAuth
    (DWORD)
    If you deletetheregistry key or set it to 0, the behavior reverts to the default, or disabling the use of BasicAuth.
    WinINet: Disabling Basic Authentication over a clear channel
    Detailed description
    Becausethe DAVRdr is part of theremotefilesystem stack,a computer is open to attack whenever an attempt is madeto
    remotely access files. Although thethreat to other applications that usetheInternet APIs is less severethan it is for the
    DAVRdr,a similar attack is possible whenever an application (or the user) attempts to access a URL.For this reason,WinINet is
    exposing the mechanism by which the DAVRdr disables BasicAuth to other users of theInternet APIs.
    Therearetwo ways to block the use of Basic Authentication over clear (or unencrypted) channels:
    Createthefollowing registry key and set it to a non-zero value.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion\ Internet
    Settings\DisableBasicOverClearChannel (DWORD)
    This prevents WinINet from attempting to use BasicAuth unless thechannel is secured (using HTTPS or SSL).
    Theapplication can disablethe use of BasicAuth for its connections by setting the
    AUTH_FLAG_DISABLE_BASIC_CLEARCHANNEL flag (0x4) in thevaluesupplied in thecall to InternetSetOption using
    INTERNET_OPTION_AUTH_FLAGS.
    Why is this change important?
    Users can log on to WebDAV servers for remotefileaccess without fear of transmitting their password in theclear.
    What threats does it help mitigate?
    Imaginea corporate user who routinely accesses the Web site http://www.contoso.com/sales.While outsidethecorporation on
    a public network, the user attempts to access that site using InternetExplorer.Sincethelaptop is outsidethecorporation, the
    request should fail with a “Server not found” message. An attacker can run on that same public network with a computer that
    spoofs WINS requests, returning a pointer to itself in responseto any WINS lookup.Thelaptop will then try to send the HTTP
    request to load the pagefrom therogueserver. If therogueserver responds with BasicAuth as theauthentication method, the
    laptop responds to the user,asking for his or her credentials. It identifies thesite http://www.contoso.com/sales, leading the
    user to believetherequest is legitimate. If the user enters his or her user nameand password, theclient will transmit that
    information in theclear,and theattacker thus gains access to that user’s login information. In particular, thereis no indication
    to the user that thechannel is insecure, or that thelaptop will transmit the user nameand password in theclear.
    What works differently?
    By default, thereis no changein behavior for WinINetapplications (except for the DAVRdr as noted above). If this setting is
    disabled, the user is unableto connect to HTTP servers that only support Basic Authentication.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    WebDAV Redirector Settings
    Setting name Location Previous
    default value
    (if applicable)
    Default values Possible
    values
    UseBasicAuth HKEY_LOCAL_MACHINE\System
    \CurrentControlSet \Services \WebClient
    \Parameters \UseBasicAuth
    Notapplicable. Key doesn’texist.
    (BasicAuth disabled for
    DAVRdr)
    0, nonzero
    DisableBasicOverClearChannel HKCU\SOFTWARE \Microsoft \Windows
    \CurrentVersion \InternetSettings
    \DisableBasicOverClearChannel
    Notapplicable. Key doesn’texist.
    (BasicAuth enabled for
    everything else)
    0, nonzero
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    No changes are necessary. Developers who writeapplications that usetheInternet APIs and want to disable BasicAuth, such as
    the DAVRdr,can add a call to InternetSetOptions().

You must be logged in to reply to this topic.