Fladi.at

Recently on our balcony:

Yeah, Microsoft sucks at providing WebDAV client capabilities but here is some help to get Windows Vista and later to work with HTTP basic authentication:

Change or create the Registry key “HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\BasicAuthLevel” (REG_DWORD) and set its value to “2“.

This will work around the nasty behaviour of Windows rejecting basic authentication even when used over HTTPS.

Second FAIL for today: Microsoft Windows WebDAV implementation!

Why does MS ship a WebDAV connector with their operating system if is is so fu**ed up beyond repair that it makes you want to `rm -rf` the virtual machine the whole system is running in.

I set up several WebDAV folders on Apache2 to provide easy(!!!) file uploads for our CMS maintainers which they can access on their Windows desktops. My tests on GNU/Linux with cadaver worked fine and everything went smoothly as I intended it.

So I went on and tried to incorporate the shares in Windows:

Setting up the URL

This immediately resulted in an error popup (translated message: “The folder entered is not valid. Please choose another folder.“). I took turns, trying to find out what happened, searched a lot of blog posts about Windows and WebDAV and how much it sucks but I found no hint that could solve my problem.

So i settled with Wireshark as a last resort and I captured the network traffic when I tried to access the URL with Windows WebDAV.

That was when it hit me like a truck, something was missing from the URL in the packet dump:

See the missing slash at the end?

Yeah right, some funny folk over at Redmond implemented a strip-the-trailing-slash-from-the-URL function for the Windows WebDAV implementation.

The string “/pathto/webdav/bmed/” silently became “/pathto/webdav/bmed“!

This will have no impact if you configured you Apache2 to enable WebDAV on a location without the trailing slash. Mine was configured like this:

Alias /pathto/webdav/bmed/ /some/webdav/folder/
<Location /pathto/webdav/bmed/>
Dav on
</Location>

So Windows never queried for the right URL to get WebDAV support. I had to remove the trailing slash from my configuration to get make it work.

I’m very courious now what the responsible engineer at Microsoft had on his mind when he implemented this crap … but I guess we will never know.

UPDATE: For the sake of completeness, this behaviour is still not fixed in Microsoft Windows 7 Build 7201. It’s even using the same old dialogs but it seems that they have changed the User-Agent string to “Microsoft-WebDAV-MiniRedir/6.1.7201″. So Windows 7 folks have a new but still broken WebDAV implementation. Congrats!

I searched the web for checklist templates on IT security auditing today and found a site which offered some MS Office documents used as a templates in former audits at German banks.

After downloading all of them I started to take a quick look through them to sort out those which will help me in our upcoming audit. The third document (german) I opened up in OpenOffice.org was a Excel sheet with two tables where the second one was initially opened, so I switched to the first and was presented the seventh page of 17 in all. The auditing questions in there were about user management and creation and expiry of accounts.

As I scrolled up a bit I saw, that there were not only the questings but also their respective answers still in this document. It seems that some fool who audited this bank put the document on his webpage without cleaning the information from it. At least 6 pages of the first table contained answers outlining the current IT landscape with some of them marked as “high risk” by the auditor himself.

Example from the auditing report

Most of the text is about what kind of rules are not defined and where exceptions to their procedures can occur. Maybe enough information to put their infrastructure at risk!

Conclusion: Even if you run through a audit on a regular basis, no one spares you from the imcompetence of the auditor!

Da es jetzt scho wieder etwas kälter wird, poste ich einfach mal ein paar Fotos von der Wanderung in der Bärenschützklamm die ich zusammen mit Christa, Birgit und Werner unternommen habe.