Hi All, There is a very severe SharePoint security vulnerability related to Web Dav protocol. User can see all site content by Browsing SharePoint Sites data through windows explorer view and by 1. Clicking Start, type path on Run as \\yoursite\subsite\forms or \\yoursite\subsite\documents It is alarming to see that any user can browse all SharePoint Site Directories with "Use Client Integration Feature" and "Use Remote Interfaces" permissions on the site. P.S. If we rollback "Use Client Integration Feature" permission then user cannot create new item in any form library / SharePoint list. Therefore this permission is mandatory for us. For more information you can see following URLs. http://forums.iis.net/t/1149348.aspx http://social.technet.microsoft.com/Forums/en-US/sharepointgeneral/thread/023f4b23-3ce6-4d83-8cb0-7398b88ba6ab Any help in this regard will be greatly appreciated...

I don't understand the issue very well, I entered \\mysharepointsite\subsite\forms in Start->Run. It tell me that I does not have permission. I can open the SharePoint document library with WebDAV if I enter \\mysharepointsite\documents in Start->Run. Do you mean that I can open \\mysharepointsite\subsite\forms if I enable Web Dav in IIS? Do you mean what follows from http://blogs.technet.com/srd/archive/2009/05/20/answers-to-the-iis-webdav-authentication-bypass-questions.aspx : Question: Is Sharepoint vulnerable to the authentication bypass? Answer: No, Sharepoint is not vulnerable to this vulnerability. The Sharepoint team does not use the same code as IIS. Their DAV server goes against their backend SQL store, not the file system.

Hi Gu Yuming, My concern is to disable directory browsing and explorer view. Disabling only Web Dav is not the solution of the problem. Because SharePoint implements its own WebDAV functionality through Stsfilt.dll ISAPI filter that is installed with both Windows SharePoint Services and SharePoint Portal Server. Initially I was able to disable explorer view by disabling permission “Use Client Integration Feature” and “ Use Remote Interfaces” from SharePoint Central Administration > Application Management > User Permission for Web Application. But by doing so, it also disables launching client applications and without this permission (Use Client Integration Feature), users will have to work on documents locally and upload their changes manually. Now what to do?

I understand that you want to disable Web DAV in IIS (Or you mean that you want to disable directory browsing in IIS). However, I still does not understand why you want to disable Explorer View in SharePoint? It’s a popular feature to copy files to and from SharePoint document library.

Hi GuYuming, I have already disabled WebDAV in IIS also i have disable directory browsing in IIS. But problem is that SharePoint implements its own WebDAV functionality through Stsfilt.dll ISAPI filter that is installed with both Windows SharePoint Services and SharePoint Portal Server. The reason behind why I want to disable Explorer View is that any user with least permission (i.e. Restricted Read) can view all library and site content. In order to restrict the user I have manually assign unique permissions on individual items which is not feasible as there are thousands of document in a library. Also this is my client's requirement to disable Explorer View.

Restricted Read Includes permissions to view pages and documents, but not historical versions or user rights information. So I think its OK that any user with least permission (i.e. Restricted Read) can view all library and site content.

Dear Gu Yuming, User should only see the data which is pertaining to him. By Explorer View feature, user can access everything... Inorder to restrict it you have to uniquely assign permissions on every individual item which is really not feasible and it increases your maintenance. My simple Question is " Is there is any way to disable WebDav and Explorer View functionality ? "

There is no way to disable WebDAV and Explorer View functionality. However, I don't think this is a security issue since user can see no more than what he has permission to see in Explorer View.