How to remediate – WebDAV Detection

1. Introduction

WebDAV Detection identifies systems running with WebDAV enabled. WebDAV allows remote management of web server content by authorized users. If this functionality isn’t needed, it presents an unnecessary attack surface. A successful exploit could allow unauthorized access to files on the server, impacting confidentiality, integrity and availability.

2. Technical Explanation

WebDAV extends HTTP to enable remote file management. It relies on standard HTTP ports (typically 80 or 443). An attacker can attempt to exploit WebDAV by sending specially crafted requests to access or modify files. Exploitation requires valid user credentials with sufficient permissions.

• Root cause: The WebDAV service is enabled and accessible over the network, potentially without strong authentication controls.
• Exploit mechanism: An attacker uses a WebDAV client to connect to the server with legitimate credentials, then attempts to list directories or modify files they shouldn’t have access to.
• Scope: Affected platforms include servers running Microsoft IIS (Internet Information Services) and other web servers supporting the WebDAV standard.

3. Detection and Assessment

Confirming a vulnerable system involves checking for the presence of WebDAV functionality. A quick check can identify if it’s listening on common ports, while deeper inspection confirms configuration details.

• Quick checks: Use netstat -an | findstr /i "80" or netstat -an | findstr /i "443" to see if the server is listening on HTTP/HTTPS ports, then check IIS Manager for WebDAV enabled.
• Scanning: Nessus plugin ID 65971 can detect exposed WebDAV services. This is an example only and may require updating.
• Logs and evidence: Check IIS logs for PROPFIND or PUT requests which are common WebDAV methods. Look in the %SystemDrive%inetpublogsLogFiles folder.

curl -v http://targetserver/

4. Solution / Remediation Steps

Fixing this issue involves disabling WebDAV if it’s not required. These steps are designed to be safe and easily reversible.

4.1 Preparation

• Ensure you have administrator access to the server. A roll back plan is to re-enable WebDAV in IIS Manager.
• Changes should be made during a scheduled maintenance window with appropriate approvals.

4.2 Implementation

1. Step 1: Open Internet Information Services (IIS) Manager.
2. Step 2: Select the server name in the Connections pane.
3. Step 3: Double-click “WebDAV Publisher”.
4. Step 4: If WebDAV is enabled, click “Disable” in the Actions pane.

4.3 Config or Code Example

Before

WebDAV enabled: True

After

WebDAV enabled: False

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

• Practice 1: Least privilege – limit user accounts’ access to only the resources they need, reducing impact if WebDAV is exploited.
• Practice 2: Safe Defaults – disable unnecessary services like WebDAV by default to reduce the attack surface.

4.5 Automation (Optional)

# PowerShell example - disable WebDAV on all IIS sites
Get-IISSite | ForEach-Object {
  if ($_.ConfigSection.get_section("system.webServer/webdav").Collection["modules"].Count -gt 0) {
    Write-Host "Disabling WebDAV on $($_.Name)"
    $_.ConfigSection.get_section("system.webServer/webdav").Collection["modules"].RemoveAt(0)
    $_.CommitChanges()
  }
}

5. Verification / Validation

Confirming the fix involves checking that WebDAV is no longer accessible and verifying core IIS functionality remains operational.

• Post-fix check: Run curl -v http://targetserver/, which should return a standard HTTP error (e.g., 404 Not Found) instead of WebDAV headers.
• Re-test: Re-run the earlier `netstat` and IIS Manager checks to confirm WebDAV is disabled.
• Smoke test: Verify that other website features, such as serving static content, are still working correctly.

curl -v http://targetserver/

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

• Baselines: Update your server security baseline or policy to include a requirement for disabling unnecessary services like WebDAV.
• Pipelines: Include checks in your CI/CD pipeline to ensure that new servers are configured with WebDAV disabled by default.
• Asset and patch process: Review server configurations regularly as part of your asset management process, checking for unintended service exposure.

7. Risks, Side Effects, and Roll Back

• Roll back: Step 1: Open IIS Manager, select the server name, double-click “WebDAV Publisher”, and click “Enable” in the Actions pane.

8. References and Resources

• Vendor advisory or bulletin: Microsoft KB 241520