This excerpt is from Chapter 2, Securing Web Services and Web Servers -- The Administrative Perspective, of the free e-book The Tips and Tricks Guide to Securing .NET Server written by Roberta Bragg, published by Realtimepublishers.com and available from http://www.netiq.com/offers/ebooks.
Q: We do not allow users to store data on their hard drives. They are provided a place on a file server. I can protect this area with discretionary access control lists, but how do I protect data during transport from client to file server?
A: There are several ways to secure data in flight, including using virtual private networks (VPNs), IPSec and the Secure Sockets Layer (SSL). VPNs are usually the methodology of choice when transferring data across the WAN, while transport-mode IPSec, explained in Question 8.5, is preferred for transferring files on the LAN. However, another methodology exists for protecting files in transport on the intranet, WebDAV over SSL.
WebDAV is the Microsoft implementation of the Distributed Authoring and Versioning extension to HTTP/1.1. You can read about DAV in Request for Comments (RFC) 1518. It was originally designed as an alternative to using FTP to publish files to a Web server, but can also be used as an alternative to SMB. If the Web client is installed, Internet Explorer (IE), Microsoft Office applications and the Windows Desktop can be used to read and write files to a WebDAV-enabled folder. Office applications can also directly open files from and save files to the Web folder, much as they would use a regular local folder or shared folder on a file server. To use WebDAV securely requires securing the IIS Server, the Web folders and the Web site that hosts them. Our focus here is securing data in flight, but we'll start with a secure implementation of WebDAV.
To use WebDAV in Windows Server 2003, you must WebDAV enable the IIS 6.0 Web server and create Web folders on it. (Web folders and WebDAV can also be used with IIS 5.0 and Windows 2000—Win2K.) Then, using the Web client, files can be transferred from the client computer to the Web folder using HTTP. No file share is necessary on the Web server. WebDAV itself does not provide any mechanism for protecting data in transport. However, you can protect data during transfer to the Web folders by establishing and using SSL—after authenticating the connection with the Web server, all data is encrypted during transport. Files saved in the WebDAV folders are not encrypted.> Read the rest of this excerpt from Chapter 2, Securing Web Services and Web Servers -- The Administrative Perpective.
This was first published in July 2003