Want to make sure WebDAV is secure

I set up WebDAV on a 2012 R2 server and everything seems good so far. I set up a test share and can mount that share on the server and on a non-domain connected machine (with domain creds). This server running WebDAV is joined to the domain.

I want to set up different virtual directories based on groups and assign groups to those vdirs. Am I doing this under the vdir and then under WebDAV Authoring Rules? I see 'Allow access to this content to:' and a few choices. Do I put in domain\group under 'Specified roles or user groups'? Would I have multiple rules in there based on maybe one for the admin (read/write/source) and one for the users (read/write)?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
If the IIS server is in the domain, the most manageable solution is to use domain groups to control permissions to the various resources.

Under Authoring Rules, you have to option to configure users or groups.  I would create a Domain group per directory and grant that group the necessary rights.  Then just place the necessary users in to their required access groups.

Your rules would be action based.  One rule (for a group) for read-only access, one rule for Read/Write, etc.

mvalpredaAuthor Commented:
What does the 'source' permission give to a user? Groups are added to Authoring Rules as 'domain\group' correct?
Dan McFaddenSystems EngineerCommented:
It allows someone to see the contents of a coded web page.  For example an ".aspx" or an ".asp" file.  To view a file of the type ".htm" or ".html" you don't need the source permission.  Below is a reference link to configuring an authoring rule.

Link:  https://technet.microsoft.com/en-us/library/dd722746.aspx

As long as the WebDAV server is a member of the domain, you can use DOMAIN\GroupName

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

mvalpredaAuthor Commented:
Now that you say it, not sure why I didn't put that together with the source permission!

The average user should not need source then I assume?
Dan McFaddenSystems EngineerCommented:
No.  In general, there aren't many reasons I can think of for an average user to need access to the source code of web file types.

mvalpredaAuthor Commented:
Opened 443 on my firewall to the test machine I have set up, I tried to map a network drive to https://webdav.domain.com/share from the outside and it does not work. The error I get is 'An unexpected network error occurred.'

Is this an issue with a self-signed cert? If I go https://webdavtest.domain.local/share there is obviously a cert error, and it points to the FQDN of my webdavtest machine.
mvalpredaAuthor Commented:
Doing some tests on a domain connected machine internally and I'm not sure what the deal is.....
1) Map to https://webdavtest/share and it maps no problem
2) Map to https://webdavtest/share and tell it to use different credentials and put in administrator\password and it works. domain\administrator and password just hangs when trying to connect.
3) Map to https://webdavtest.domain.local/share and it asks for a password. Put in administrator\password, does not work. (A device attached to the system is not functioning). Same result with domain\administrator and password.
4) Map to and it asks for a password. Put in administrator\password, does not work. (A device attached to the system is not functioning). Same result with domain\administrator and password.
Dan McFaddenSystems EngineerCommented:
1. what is the FQDN configured in the SSL Cert?

Here is a how-to on connecting to WebDAV sites as a mapped drive.

link:  http://www.yeehawup.com/2011/07/mapping-a-network-drive-to-webdav-share-in-windows-7/


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mvalpredaAuthor Commented:
I added a free 30 day cert and was able to connect from outside. Outside DNS name matches the name on the cert. I need to do some testing next week with security on the share(s) now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.