Windows 10 sends spurious WebDAV requests to remote webservers

codegrunt 26 Reputation points
2022-03-22T17:08:39.147+00:00

Hello everyone. I am hoping someone out there might have insight into a Windows WebDAV bug / configuration issue I have been trying to isolate the cause of for something like a decade. In the discussion below IPs and URLs have been changed to local non-routables for privacy. The actual requests were between a customer in their office using Windows 10 and a remote Apache webserver hosting a client's shopping cart.

The ModSecurity firewall has a default rule to block spurious WebDAV attempts against web servers that do not allow this protocol. It's an effective method for catching and blocking malicious bots trying to poll for vulnerabilities. Unfortunately, for unknown reasons some Windows machines will send spurious WebDAV requests like this Windows 10 machine attempting WebDAV against our webserver:

192.168.1.1 - - [21/Mar/2022:08:26:07 -0700] "OPTIONS /shop_closed.html HTTP/1.1" 403 3455 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"

The machine this request originated from was a customers Windows 10 install and aside from the spurious WebDAV attempts, they were just browsing my client's shopping cart:

192.168.1.1 - - [21/Mar/2022:08:19:00 -0700] "GET /cart.php HTTP/1.1" 200 161 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36"

When Windows installs start sending these WebDAV requests, they usually will pick a specific file and keep requesting that one file until eventually they get automatically blocked by our firewall. In this case the customer was using Chrome but the problem is not specific to the browser the customer is using (I have seen it occur with customers using IE and Edge as well).

There is zero reason for the customer's machine to be sending WebDAV requests to our server. We are not on their local network and they do not manage any files on our server. Note that the customer is not intentionally triggering these requests, they just occur seemingly randomly. They also do not occur for all Windows users, just a subset. The user agent in the requests is always whatever version of "Microsoft-WebDAV-MiniRedir" the client has installed.

Does anyone have any idea what triggers these spurious WebDAV requests? This has been a bugbear for years now and I would dearly love to nail down the cause.

Cheers

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,379 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
804 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. codegrunt 26 Reputation points
    2023-01-09T17:05:24.857+00:00

    Following up my own post as this seems relevant:

    https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/

    file:// URIs may be partially what is triggering this behaviour.

    2 people found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.