WebDAV is automatically enabled in IIS 5.0, and you can't turn it off. IIS 5.0 constantly monitors all HTTP traffic for WebDAV verbs, including the new Microsoft-only creations (e.g., the Translate header). When IIS 5.0 encounters a WebDAV verb, the Web server invokes the Internet Server API (ISAPI) extension httpext.dll to process the WebDAV request. WebDAV doesn't rely on file extensions to operate, so you won't find httpext.dll in your IIS 5.0 server's application mappings. Although httpext.dll is an ISAPI extension, you can't unmap the extension.
Controlling file I/O on a Web server is the basis of Web security, and WebDAV lets users perform file I/O; thus, WebDAV creates a potentially serious security problem. You can't use port filtering to just stop file access through WebDAV because access occurs through the HTTP port (port 80).
To write files to the server through WebDAV, you need to enable IIS 5.0's Write permission. This permission isn't user-specific, so enabling it lets all users write to the Web. Thus, WebDAV makes NTFS solely responsible for controlling who can access files on the file server. However, enabling IIS 5.0's Write permission doesn't let users modify Active Server Pages (ASP) or other script-mapped files.
To enable script editing, you need to turn on Script source access, the only WebDAV property that you can adjust in IIS 5.0. Figure 1 shows the Default Web Site Properties Home Directory tab. When you select the tab's Script source access and Write check boxes and use a WebDAV-enabled application to open an ASP or other application-mapped script file, IIS 5.0 delivers the ASP source document instead of interpreting the ASP code and sending the resulting HTML. You can set Script source access at the Web site level and for individual pages.
Other concerns with WebDAV include potential Denial of Service (DoS) attacks, locking files, and access to source files. In response to a security concern involving a Microsoft addition to the WebDAV verbs (i.e., the Translate:f command), Microsoft released Security Bulletin MS00-058, "Patch Available for 'Specialized Header' Vulnerability" (http://www.microsoft.com/technet/security/bulletin/ms00-058.asp). For more information about this particular problem, see the Microsoft article "Internet Information Service May Return Source of Active Server Pages File" (http://support.microsoft.com/support/kb/articles/q256/8/88.asp) and "The Translate:f Security Hole" (http://www.4guysfromrolla.com/webtech/081500-1.shtml). You can find more information about other IIS 5.0 security settings in IIS 5.0's online WebDAV documentation.
Application mappings. If you don't understand the difference between the ways that IIS 5.0 and IIS 4.0 handle application mappings, you can create problems for your server. IIS uses application mappings to map file extensions to executables. For example, application mappings direct ASP files to asp.dll. You can add mappings to let IIS use almost any kind of scripting, such as Perl, Rexx, or PHP.
To access the App Mappings tab in IIS 5.0 or IIS 4.0, select the Default Web Site Properties' Home Directory tab. Click Configuration, and in the resulting dialog box, click App Mappings. You can also reach App Mappings through a virtual directory set up as an application.
Figure 2 shows the IIS 5.0 App Mappings tab, and Figure 3 shows the IIS 4.0 version. The labels on the rightmost columns in Figure 2 and Figure 3 show the big difference between IIS 5.0 and IIS 4.0. The IIS 5.0 label is Verbs, and the IIS 4.0 label is Exclusions. By default, IIS 5.0 disallows new verbs in the HTTP specification. When you map applications to executables, you need to specify which HTTP verbs the system allows. IIS 4.0 is the opposite, allowing new verbs by default. You need to specify which verbs the system disallows, or excludes.
If you ignore the App Mappings column headings and specify exclusive verbs such as DELETE and PUT instead of inclusive verbs such as GET and POST, the server will return the error message 403.1 Execute Access Forbidden, with additional misinformation: You have attempted to execute a CGI, ISAPI or other executable program from a directory that does not allow programs to be executed. If you believe the error message, you'll never track down the problem. Auditing won't help you identify it, and neither will Filemon (a file-monitoring program available at http://www.sysinternals.com) or other troubleshooting techniques that search for executable NTFS permissions. Giving the Everyone group full control of the target files also won't solve the problem.
Socket pooling. When you use IIS 4.0 to create a Web site, the Web server allocates TCP sockets specifically for that Web site. For example, if you have 20 Web sites, each with a different IP address, IIS 4.0 dedicates a connection socket to each of those 20 sites, and each socket listens at port 80. This arrangement limits scalability and performance because resources that idle sockets consume aren't available for other sites
to use.
In contrast, IIS 5.0 uses socket pooling, which the Web server enables by default for all sites that have different IP addresses and use the same port. Regardless of the number of Web sites using port 80, all sites will share the same set of TCP sockets. This arrangement improves the distribution of server resources.
If your Web sites don't have different IP addresses, you're most likely using host headers to create multiple Web sites on one IP address. Socket pooling doesn't work for host-header sites; it works only for sites that have unique IP addresses. Most online documentation about host headers doesn't make this distinction clear.
IIS 5.0's README file (see the Microsoft article "Contents of Internet Information Server 5.0 Release Notes" at http://support.microsoft.com/support/kb/articles/q250/9/79.asp) describes a hidden feature that relates to socket pooling. If you tune the performance of one pooled-socket Web site, you affect the performance of all the other Web sites in the socket pool. You adjust Web site performance settings on the Default Web Site Properties' Performance tab, which Figure 4 shows.
Register
