What are the security ramifications that one should be aware of when considering using WebDAV? How does one go about securing it? What else should I know about it?
Answer
WebDav by its self doesn't have any security. It'll let anyone touch anything. It says in the standards docs that this should be handled in the web-server layer (or application, if that's providing the WebDAV service).
Authentication
WebDAV has no native auth service, so one needs to be put in front of it. Different webservers handle this differently, depending on what dav module you're using. Server-specific modules (mod_dav) will behave differently than those that are based out of app-servers like Tomcat). This is the normal HTTP auth stuff; basic, digest, SASL, Kerberos, etc.
HTTPS
Since the authentication won't be encrypted without it (unless you're doing IIS-based webdav and NTLM), and the files won't be transferred encrypted.
Local Auth
Depending on what's driving the WebDAV, pay attention to the actual OS user that drops the files. Sometimes the Dav server will impersonate the actual user, other times it's all one user dropping files and it's up to the application to keep users away from files they shouldn't have access to.
No comments:
Post a Comment