Posted on September 20th, 2013 in Storage Made Easy, Webdav | No Comments »
WebDav is an acronym for Web Distributed Authoring and Versioning and can also be referred to as just plain old DAV.
WebDav is an extension of the HTTP protocol that was originally designed by Jim Whitehead from the University of California at Santa Cruz in 1996 when he was working at the World Wide Web consortium and it later became an Internet Engineering Task Force (IETF) standard.
WebDav was built as an interoperable standard to support remote collaborative authoring of Web sites and individual documents, as well as remote access to document based systems.
Today it It is the most popular network file-system protocol for use across the Internet, and although it has been integrated as a interoperable layer into many existing product implementations it is also notably missing as an interoperable API standard from many, such as DropBox, Google Drive, Amazon S3 and more.
The Storage Made Easy WebDav Gateway
SME provide a way to access any mapped cloud by secure WebDav irrespective of whether the underlying Cloud Supports the WebDav protocol natively. As WebDav is so well supported in many desktop and mobile Apps this means that Cloud Data can easily be integrated and accessible without having to move it to access the features of a particular Application that is WebDav enabled.
Connecting to WebDav Servers and Windows Shares
SME can also be configured to connect to servers that support the WebDav protocol. This use of WebDav from a SME perspective is using WebDav as a back end cloud to store data rather than exposing existing clouds to be accessible using the WebDav protocol.
Many existing NAS or SAN devices such as those as the NetGear ReadyNAS and the Synology devices range already provide WebDav as an access protocol to access data. Also existing web servers such as Apache can also be configured to use WebDav using the Mod Dav extension.
Many users of SME want to expose windows file shares and make them directly available through the SME service to all devices. The most appropriate and secure way to do this is not to expose such shares directly but to configure Microsoft Internet Information Server to expose these shares over WebDav.
Advantages of WebDav for Windows File Sharing
This has the following advantages:
Seamless integration with the IIS Manager
A secondary protocol provides a security DMZ with regards to direct access to windows shares
IIS WebDAV can be enabled at the site level, allowing IT administrators to restrict WebDAV access to specific sites on a server.
IIS WebDAV supports per-URL authoring rules, allowing administrators to specify custom WebDAV security settings on a per-URL basis. This fine-grained control gives administrators the ability to maintain one set of security settings for normal HTTP requests and a separate set of security settings for WebDAV.
IIS WebDAV supports both shared and exclusive locks to prevent lost updates due to overwrites
WebDAV supports secure connection as well. By enabling HTTPS over all WebDAV connections, security is fortified. SSL certificates can also be installed to increases security measures
Why WebDav as a Cloud Connector ?
WebDAV is an optimized protocol for document access over http. It is proven as being latency independent and is efficient over wide area networks especially in contrast to file protocols such as NFS and CIFS.
Using secure WebDAV ensures the data is encrypted during transmission and due to the optimizations that data is stored efficiently and quickly .
Why Not The Common Internet File System (CIFS)
CIFS is the standard way that windows users share files across corporate intranets and the Internet with a secure VPN connection.
To expose such shares directly to the internet or to other none windows PC’s it is needed to use a bridging technology. Samba is often used as such as technology. With Samba, the ports 139/tcp and 445/tcp are exposed over a public IP Address. Once this is done such shares are accessible.
The drawbacks of this are:
- The CIFS protocol used by Windows file sharing does not provide data encryption
The protocol itself is quite chatty.
No level of security indirection
CIFS is is an optimized protocol for access to data over a network that has been extended by VPN and has been used in this context by many companies for a long time. The disadvantage of this is that all devices have to support , be setup, and work with the VPN. preventing access by some devices and Apps and making Adhoc ‘on the fly’ access difficult.
Securing WebDav Servers
It is beyond the scope of this blog post to go into great detail on the steps required to secure WebDav servers but Microsoft has a very good guide on how to secure the IIS WebDav Service. This can be accessed at:
In addition to this you should note the following best practices:
Folder Permissions: Use non-anonymous authentication. Modify the NTFS permissions on the folder to only allow the access necessary to the users who require such access
Prevent File Execution: If you are only using WebDAV as a file store and not using it to display web pages, then execute permissions should be removed from that site or folder.
Apache WebDav servers can be configured to use LDAP authentication and also two factor authentication and any deployments should consider implementing these.