Standard IIS WebDAV

When IIS is installed, a web service extension called WebDAV is installed but left inactive by default. The purpose of this is to allow document sharing over a web pipeessentially you can enable folders to show up in your Windows "My Network Places" and open/update/create/delete files as if they were in a normal operating system folder. This feature has some notoriety in the industry as the source of many security issues, and in general, no one wants to turn it on. As a second layer of security, you may have installed the "URLScan" utility. This is a security utility Microsoft provides to further reduce possible attacks on a web server. It does this by actually scanning incoming URLs and blocking those that match certain patterns or contain certain types of requests (standard HTTP requests are things like "GET" or "POST", while WebDAV would enable additional verbs, such as the "PROPPATCH" verb shown in Bookshelf). Therefore, you could turn on WebDAV, if you were so inclined, which might enable handling for 10 such requests (a.k.a. verbs) but then use URLScan to block certain ones (minimizing potential security holes). If you did all this, when a WebDAV call comes in, URLScan will get a shot at blocking it, and may or may not, depending on your settings. If it gets through, then it will get passed off to the WebDAV handler, which is a DLL (httpext.dll), which will do something with the request.

Exchanges Use of WebDAV

When you install Exchange, it creates a number of virtual directories in IIS, such as http://servername/exchange and http://servername/Exchadmin. For these virtual directories, Exchange registers a separate DLL named "davex.dll" that happens to use the WebDAV protocol. When a WebDAV request comes in for an exchange virtual folder, it is handled by this DLL, not the normal IIS WebDAV DLL. The (presumed) security risk of the standard WebDAV DLL is not relevant, since Exchange does not use it. However, SSSE still need URLScan to let such requests through, or the Exchange WebDAV handler will never see them. Note: All Exchange implementations have WebDAV enabled or Exchange would not work. Any customer who insists WebDAV is not enabled on their Exchange IIS servers is wrong.

Exchange 2007 Specific Information

A good explanation can be found here: http://technet.microsoft.com/enus/library/bb885041(EXCHG.80).aspx. A quick summary is: On Exchange 2007, the "exchange" virtual directory is redirected to "owa" for OWA requests. If a user types a URL such as http://<Mailbox

Server Name>/exchange into your browser, it will get re-directed to a Client Access Server OWA URL. However, davex.dll (which handles DAV requests for the Mailbox Server) does not redirect for non-browser WebDAV requests. It handles them locally on the mailbox server. Our SSSE components issue WebDAV requests to directly to the Mailbox Server, which handles them locally as described above and does not redirect to a Client Access Server.