EFS File Transactions and WebDAV
Traditionally, Windows has used the SMB command language to manipulate files across the network. Windows Server 2003 and XP contain a new way of dynamically working with files on remote machines. It is called Web-based Distributed Authoring and Versioning, or WebDAV. For references on WebDAV, see RFC 2518, "HTTP Extensions for Distributed Authoring—WEBDAV," and the WebDAV working group's web site, www.ietf.org/html.charters/webdav-charter.shtml.
Chapter 16, "Managing Shared Resources," describes how to set up a shared web folder on a server or desktop. The host must be running Internet Information Services (IIS) because the shared folder is actually just a virtual folder in the default web site. Also, WebDAV publishing must be enabled in the IIS metabase. This is not done by default.
A network provider in Windows Server 2003, the WebDAV redirector, controls transactions to and from a web share. WebDAV uses HTTP as its wire protocol, making it possible to access files through a firewall using standard TCP port 80.
To create a shared web folder, you must be running IIS on the server with security lockdown set to permit WebDAV publishing. Do this in the Internet Information Services console. Right-click the server icon, select SECURITY from the flyout menu, then walk through the IIS Security Lockdown Wizard. In the Enable Request Handlers window, select the Enable WebDAV Publishing option. Figure 17.11 shows an example.
Figure 17.11. IIS Security Lockdown Wizard—Enable Request Handlers window showing the Enable WebDAV Publishing option.
Connecting to a WebDAV share is as simple as specifying the URL of the web share instead of a UNC name. For instance, you would map a drive to http://server_name/ webshare rather than \\server_name\share.
When you make a WebDAV connection and open a file, the WebDAV redirector issues an HTTP Get command to copy the file to the local Temporary Internet Files cache. The user makes changes to the local copy of the file. When the user saves the changes, the file is copied to the WebDAV share via an HTTP Put. This is not nearly as sophisticated as SMB, and much slower, but it is much handier than doing a series of FTP file transfers.
WebDAV Advantages for EFS
In addition to standard Gets and Puts, WebDAV also controls file locking and maintains version control on files using a special set of properties that are saved along with the data in the file. A WebDAV client accesses these properties via GetProp and PostProp commands. Figure 17.12 shows the WebDAV properties of a file.
Figure 17.12. Properties of a file in a shared web folder.
Because WebDAV clients work on local copies of a file, they have a few advantages when working with encrypted files in an untrusted environment such as the Internet:
Encrypted file transfers.
Using WebDAV, the client encrypts the file locally in the Temporary Internet Files cache and then transfers the encrypted file across the network to the server. This contrasts to SMB, where the data stream going across the wire is unencrypted.
"Trusted for Delegation" option not required.
Using WebDAV, the client takes responsibility for file encryption, not the server. This means the server does not need the user's PKCS certificates and therefore does not need to be trusted for delegation. This relieves you of the chore of hardening the server against Trojan horse programs. Also, you will not see dozens or hundreds of user profiles proliferating in the Documents and Settings folder at the server.
Managing Encrypted File Transfer Over WebDAV
You need to be careful when manipulating encrypted files in a web share because there is no outside indication of a file's encryption status. The encryption bit is part of the WebDAV properties, which can only be seen when the file is viewed via the WebDAV redirector. If you access an encrypted WebDAV file via Explorer or a standard SMB share, all you see is the gibberish of the encrypted contents. So, when a user encrypts a file on a WebDAV share, the only way the file can be opened again is through the WebDAV share.
This aspect of WebDAV has an interesting ramification. It makes encrypted file recovery very simple. To open an encrypted WebDAV file, all you need to do is log on at a server that holds the FR private key of a DRA and access the file via WebDAV. Because the file is first copied to a local file cache, you can open the file.
WebDAV transfer of encrypted files has its dark side, as well. Because the contents of the encrypted WebDAV file are completely opaque to file scanners, it permits users to bring unauthorized files into your system "under the radar" of any file scanners running at your firewall or proxy server. Layer 7 scanning has become popular as a block to viruses and other malicious code.
Because WebDAV uses port 80, there is virtually no way of stopping this file transfer other than establishing a policy in your file scanner that alerts you when files with encrypted contents traverse the firewall. You can then contact the user to determine what the file was for. This is a labor-intensive solution, I agree, but as WebDAV starts to get popular, some of the leading virus scanning vendors may figure out a way to automate the process.