WebDAV Redirector

Applies To:Windows Server 2003 with SP1
What does WebDAV Redirector do?
The WebDAV Redirector (DAVRdr) allows computers running Windows Server 2003 to use WebDAV (Web-based Distributed
Authoring and Versioning) servers, such as Windows SharePointServices and MSN Communities,as if they werestandard file
servers. It consists of a kernel component that connects to a Windows NTremotefilesystem stack,and a user-level component
(Web client service) that translates filesystem requests into WebDAV requests.
Who does this feature apply to?
This featureis used by people who access WebDAV servers through theremotefilesystem.WebDAV Redirector is
implemented in theremotefilesystem stack. Clientadministrators,and users who areconcerned with thesecurity of their
computer credentials, need to beaware of this changeif they access remotefiles on a WebDAV server using a Universal
Naming Convention (UNC) path, for example,a filerequest such as \\ServerName\ShareName\File.txt will be processed by
WebDAV Redirector and will beaffected by this changein functionality.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Disabling Basic Authentication over a clear channel
Detailed description
WebDAV is an extension of HypertextTransfer Protocol (HTTP),and as such includes the use of Basic Authentication
(BasicAuth). BasicAuth is oneform of user authentication, or means by which a user is identified to theserver.With BasicAuth,
theclient transmits the user’s credentials (user nameand password) to theserver. If thechannel is unencrypted, such as with
normal HTTP traffic,any computer on the network can seethe user’s user nameand password and thereforesteal their
identity.The DAVRdr does not supportencrypted HTTP (HTTPS or SSL),and will transmit the user’s credentials in theclear
(withoutencryption) if theserver supports basicauthentication. Although a server most likely would not beconfigured to use
basicauthentication, it would be possibleto set up theserver expressly to obtain users’ credentials.
Because of this possibility,Windows Server 2003 Service Pack 1 (SP1) includes theability to enable or disablethe use of
BasicAuth by the DAVRdr. By default, use of BasicAuth is disabled with SP1.When BasicAuth is disabled, theclient will either
usea differentauthentication method (if theserver supports one) or fail therequest.
Why is this change important?
Users can log on to WebDAV servers for remotefileaccess without fear of transmitting their password in theclear.
What threats does it help mitigate?
Imaginea corporate user at Contoso Corporation who routinely accesses thefileshare\\Contoso_Server\Sales outsidethe
corporation on a public network,and uses an application thatattempts to access that shareas part of normal background
activity.Sincethe user’s portablecomputer is outsidethecorporate network, therequest should fail. However, the DAVRdr will
transmita request to seeif thereis a DAV server named Contoso_Server,even though theactual server that the portable
computer is attempting to access is an SMB server.
An attacker can be operating on that same public network with a computer that spoofs WINS requests, returning a pointer to
itself in responseto any WINS request.The portablecomputer will then try to access a DAV share on that rogueserver. If the
rogueserver responds with BasicAuth as theauthentication method,a dialog boxappears thatasks for the user’s credentials.
The dialog box identifies theserver as Contoso_Server, leading the user to believetherequest is legitimate. If the user enters
their user nameand password, theclient transmits that information in theclear and theattacker thus gains access to that
user’s login information.Thereis no indication to the user that thechannel is not secure, that therequest is being handled by
the DAVRdr, or that the portablecomputer will transmit the user nameand password in theclear. Notethat thecurrent default
Windows authentication methods never transmita user’s password in theclear.
What works differently?
Sincethechangeto default behavior only affects the DAVRdr, the only scenarios that fail to work arethosethat require basic
authentication,and that usethe DAVRdr. An exampleis using Notepad.exeto access a Web sitethat only allows BasicAuth.This
scenario will no longer work. Also,even if theserver was configured to only use basicauthentication, other applications such
as Microsoft Office will continueto work, sincethey usea different DAV client.
How do I resolve these issues?
You can enable BasicAuth by adding thefollowing registry key and setting it to a non-zero value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \WebClient\Parameters\UseBasicAuth
(DWORD)
If you deletetheregistry key or set it to 0, the behavior reverts to the default, or disabling the use of BasicAuth.
WinINet: Disabling Basic Authentication over a clear channel
Detailed description
Becausethe DAVRdr is part of theremotefilesystem stack,a computer is open to attack whenever an attempt is madeto
remotely access files. Although thethreat to other applications that usetheInternet APIs is less severethan it is for the
DAVRdr,a similar attack is possible whenever an application (or the user) attempts to access a URL.For this reason,WinINet is
exposing the mechanism by which the DAVRdr disables BasicAuth to other users of theInternet APIs.
Therearetwo ways to block the use of Basic Authentication over clear (or unencrypted) channels:
Createthefollowing registry key and set it to a non-zero value.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion\ Internet
Settings\DisableBasicOverClearChannel (DWORD)
This prevents WinINet from attempting to use BasicAuth unless thechannel is secured (using HTTPS or SSL).
Theapplication can disablethe use of BasicAuth for its connections by setting the
AUTH_FLAG_DISABLE_BASIC_CLEARCHANNEL flag (0x4) in thevaluesupplied in thecall to InternetSetOption using
INTERNET_OPTION_AUTH_FLAGS.
Why is this change important?
Users can log on to WebDAV servers for remotefileaccess without fear of transmitting their password in theclear.
What threats does it help mitigate?
Imaginea corporate user who routinely accesses the Web site http://www.contoso.com/sales.While outsidethecorporation on
a public network, the user attempts to access that site using InternetExplorer.Sincethelaptop is outsidethecorporation, the
request should fail with a “Server not found” message. An attacker can run on that same public network with a computer that
spoofs WINS requests, returning a pointer to itself in responseto any WINS lookup.Thelaptop will then try to send the HTTP
request to load the pagefrom therogueserver. If therogueserver responds with BasicAuth as theauthentication method, the
laptop responds to the user,asking for his or her credentials. It identifies thesite http://www.contoso.com/sales, leading the
user to believetherequest is legitimate. If the user enters his or her user nameand password, theclient will transmit that
information in theclear,and theattacker thus gains access to that user’s login information. In particular, thereis no indication
to the user that thechannel is insecure, or that thelaptop will transmit the user nameand password in theclear.
What works differently?
By default, thereis no changein behavior for WinINetapplications (except for the DAVRdr as noted above). If this setting is
disabled, the user is unableto connect to HTTP servers that only support Basic Authentication.
What settings are added or changed in Windows Server 2003 Service Pack 1?
WebDAV Redirector Settings
Setting name Location Previous
default value
(if applicable)
Default values Possible
values
UseBasicAuth HKEY_LOCAL_MACHINE\System
\CurrentControlSet \Services \WebClient
\Parameters \UseBasicAuth
Notapplicable. Key doesn’texist.
(BasicAuth disabled for
DAVRdr)
0, nonzero
DisableBasicOverClearChannel HKCU\SOFTWARE \Microsoft \Windows
\CurrentVersion \InternetSettings
\DisableBasicOverClearChannel
Notapplicable. Key doesn’texist.
(BasicAuth enabled for
everything else)
0, nonzero
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
No changes are necessary. Developers who writeapplications that usetheInternet APIs and want to disable BasicAuth, such as
the DAVRdr,can add a call to InternetSetOptions().