RE: Why does XP establish HTTP connection when browsing network s hares?

From: Tony Mason (Mason@osr.com)
Date: 05/27/02

• Previous message: Don Wolf: "MS-SQL Blank Password Enumeration"
• Next in thread: Tony Mason: "RE: Why does XP establish HTTP connection when browsing network s hares?"
• Reply: Tony Mason: "RE: Why does XP establish HTTP connection when browsing network s hares?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Tony Mason <Mason@osr.com>
To: "'winx@btconnect.com'" <winx@btconnect.com>, focus-ms@securityfocus.com
Date: Mon, 27 May 2002 15:23:14 -0400

Unfortunately, this isn't a "standard" component that you can disable via
the control panel.

However, all of this is controlled (like everything else in Windows
NT/2K/XP/.NET) via the registry. In the case of WebDAV, the redirector is
marked (in its service key within the registry
(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MRXDAV) as "manual
start". I have not confirmed, but you should be able to set this to
"disabled" (type 4) and it shouldn't start. Failing that, just remove the
service key.

In addition, then, you also need to remove the network provider (that's the
DLL that allows you to "browse" using explorer, until you find a storage
component, when it then starts using the UNC path mechanism). This is in
the registry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NetworkProvider - the
two subkeys each have a "ProviderOrder" value, the last item of which is
"WebClient". Remove that entry as well.

You cannot just remove the binary, since system file protection (SFP) will
simply copy it out of the DLL cache directory. If you delete both copies
(the real one and the one in the DLL cache,) you'll generate errors when the
OS cannot load/start the driver.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: winx@btconnect.com [mailto:winx@btconnect.com]
Sent: Monday, May 27, 2002 3:23 PM
To: Tony Mason; 'o00o_j'; focus-ms@securityfocus.com
Subject: RE: Why does XP establish HTTP connection when browsing network s
hares?

Hi,

Exactly how is WebDAV disabled?

Regards,
Alex Jordanov

---- original message ----

>This is the WebDAV mini-redirector that is part of
Windows XP (mrxdav.sys).
>It consists of this kernel mode driver, a user mode
service, and the
>mini-redirector wrapper (rdbss.sys).
>
>You can disable WebDAV and nobody will notice
UNLESS they are using DAV.
>
>Regards,
>
>Tony
>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>
>-----Original Message-----
>From: o00o_j [mailto:o00o_j@yahoo.com]
>Sent: Friday, May 24, 2002 3:14 PM
>To: focus-ms@securityfocus.com
>Subject: Why does XP establish HTTP connection when
browsing network shares?
>
>I've noticed some strange behavior from our IDS.
Ever since deploying
>Windows XP to our network, I've been seeing
connection attempts to port 80
>on servers not running HTTP daemons. Taking a
closer look, I discovered
>darn near every one was from a windows XP machine
belonging to techs who
>service those servers. I left it as a curiosity until one
day, by chance,
>I noticed my machine triggered the same IDS alarm
right after I opened a
>network share (C$) on that machine.
>
>Digging down further, I captured a TCP conversation
between my PC (an XP
>machine) and a server. Sure enough, towards the end
of all the SMB jargon
>is an HTTP exchange, with my client at one point
sending the following:
>---
>OPTIONS / HTTP/1.1
>translate: f
>User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600
>Host: [NetBIOS name of host i'm trying to connect to]
>---
>and receiving back a canned warning from my IDS.
I'm sure this is nothing
>to worry about, however I'm concerned about disabling
it to limit false
>positives on my IDS. Any ideas? thoughts? Any info.
would help here...
>our XP guru in-house had never heard of this before.
thanks in advance.
>
>-j
>
>__________________________________________________
>Do You Yahoo!?
>LAUNCH - Your Yahoo! Music Experience
>http://launch.yahoo.com
>

---

• Previous message: Don Wolf: "MS-SQL Blank Password Enumeration"
• Next in thread: Tony Mason: "RE: Why does XP establish HTTP connection when browsing network s hares?"
• Reply: Tony Mason: "RE: Why does XP establish HTTP connection when browsing network s hares?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Networking XP and 98SE ... I have tried the NETBui disabling but without ... >Windows XP Internet Connection Firewall ... >Windows XP Network Protocols ... >Default Node Type for Microsoft Clients ... (microsoft.public.windowsxp.network_web) Re: LAN attempts to connect on startup ... Try disabling the adapter! ... But I monitor network traffic on my home network ... Windows Media Player junk ... See below for HijackThis links. ... (microsoft.public.windowsxp.network_web) RE: Why does XP establish HTTP connection when browsing network s hares? ... Windows XP. ... >It consists of this kernel mode driver, ... >I've noticed some strange behavior from our IDS. ... however I'm concerned about disabling ... (Focus-Microsoft) Re: Network/Security issue with $ shares ... It's Windows XP Home ... >network up without disabling that, but I am certainly not complaining now ... Please post any reply as a follow-up message in the news group ... (microsoft.public.windowsxp.network_web) Re: Password required to access peer computer ... How are you enabling and disabling the Guest account? ... Accessing a Windows XP Home Edition computer over the network requires ... (microsoft.public.windowsxp.network_web)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2002-05