Share via


WebDAV Security

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

WebDAV is a network service that allows users access to files. Application developers and users should take extra precaution to prevent unauthorized users from having access to sensitive information on the device.

Best Practices

Use authentication

Always use authentication for each virtual root that has write permission enabled. This minimizes the possibility of malicious users filling the device file system with an enormous amount of data. For more information, see Web Server Authentication.

Set permission flags

Set appropriate permission flags that limit user access to files.

Be careful when using HSE_URL_FLAGS_SCRIPTS_SOURCE permission flag. This flag allows clients to download the source to ASP scripts and ISAPI extensions. This allows users to view the scripts that the Web Server uses.

Be careful when using the HSE_URL_FLAGS_SCRIPTS_SOURCE and HSE_URL_FLAGS_WRITE at the same time. This combination allows users to upload ASP pages and ISAPI extensions to the device. If malicious users can upload a script to your device, they can gain complete control of the device.

See Also

Concepts

Web Server Security
Web Server Registry Settings