Securing Web Services and Web Servers -- The Administrative Perpective

Written by Roberta Bragg; Published by Realtimepublishers.com

This excerpt is from Chapter 2, Securing Web Services and Web Servers -- The Administrative Perspective, of the free e-book The Tips and Tricks Guide to Securing .NET Server written by Roberta Bragg, published by Realtimepublishers.com and available from http://www.netiq.com/offers/ebooks.

    Requires Free Membership to View

Q: We do not allow users to store data on their hard drives. They are provided a place on a file server. I can protect this area with discretionary access control lists, but how do I protect data during transport from client to file server?

A: There are several ways to secure data in flight, including using virtual private networks (VPNs), IPSec and the Secure Sockets Layer (SSL). VPNs are usually the methodology of choice when transferring data across the WAN, while transport-mode IPSec, explained in Question 8.5, is preferred for transferring files on the LAN. However, another methodology exists for protecting files in transport on the intranet, WebDAV over SSL.

WebDAV is the Microsoft implementation of the Distributed Authoring and Versioning extension to HTTP/1.1. You can read about DAV in Request for Comments (RFC) 1518. It was originally designed as an alternative to using FTP to publish files to a Web server, but can also be used as an alternative to SMB. If the Web client is installed, Internet Explorer (IE), Microsoft Office applications and the Windows Desktop can be used to read and write files to a WebDAV-enabled folder. Office applications can also directly open files from and save files to the Web folder, much as they would use a regular local folder or shared folder on a file server. To use WebDAV securely requires securing the IIS Server, the Web folders and the Web site that hosts them. Our focus here is securing data in flight, but we'll start with a secure implementation of WebDAV.

To use WebDAV in Windows Server 2003, you must WebDAV enable the IIS 6.0 Web server and create Web folders on it. (Web folders and WebDAV can also be used with IIS 5.0 and Windows 2000—Win2K.) Then, using the Web client, files can be transferred from the client computer to the Web folder using HTTP. No file share is necessary on the Web server. WebDAV itself does not provide any mechanism for protecting data in transport. However, you can protect data during transfer to the Web folders by establishing and using SSL—after authenticating the connection with the Web server, all data is encrypted during transport. Files saved in the WebDAV folders are not encrypted.

> Read the rest of this excerpt from Chapter 2, Securing Web Services and Web Servers -- The Administrative Perpective.

This was first published in July 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.