I've got a bit of a challenge I'm hoping someone has some ideas on. I'm in the process of deploying a web app to a shared environment with a host running IIS7.5. A security scan has shown that WebDAV is enabled and a stop has been put on the site going live until it's turned off.
Since this finding, the host has been able to first manually disable WebDAV for the site directly in IIS (not a setting we have exposed in the IIS manager) and then provide a switch in their online control panel to turn it off. I can successfully add a network place and remotely connect to the file system while it's on but cannot do so once I turn it off so functionally, the setting appears to work.
Unfortunately the site is still returning an accept PROPFIND header and an Ms-Author-Via: DAV header and this seems to be the basis on which the security scanner makes its recommendations.
So the question is this: is it expected behaviour that when WebDAV is disabled for one site but enabled for others on the same machine, the response headers for that site should reflect what I'm seeing above? And is this by design or is there something else that should be done configuration wise at the individual site level to avoid this?
Best Answer
Hi I hope this is of some help to you:
http://unixwiz.net/techtips/ms971492-webdav-vuln.html
While that is for iis 5/6 it has some good info on security.
Try some of the opposite steps here:
http://learn.iis.net/page.aspx/350/installing-and-configuring-webdav-on-iis-7/
While this isn't a direct answer to your question I hope it is some help to you in finding one.