Identifying HTTP requests

So I'm looking to remove IIS from a few servers we used to have WSUS running on but machines are still contacting it (albeit very few) and I can't fathom where some of the requests are coming from.

For instance, a local client is requesting 2 shares and a GPO from the local DC (which had WSUS installed previously). The server responds to the initial OPTIONS command with a HTTP 200, and subsequent WebDAV PROPFIND commands with a 404.

I've included the most recent requests from 8 days ago below. Anyone out there know what would be generating these requests? Note that they occur at 04:58 am. It's a client workstation from the IP it's picked up and has probably been left on overnight.

>2011-10-12 04:48:48 10.10.10.20 OPTIONS /templates.user - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 200 0 0 4227
2011-10-12 04:48:48 10.10.10.20 PROPFIND /templates.user - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2 15
2011-10-12 04:48:50 10.10.10.20 PROPFIND /templates.group - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2 0
2011-10-12 04:48:51 10.10.10.20 PROPFIND /templates.group - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2 0
2011-10-12 04:48:51 10.10.10.20 PROPFIND /templates.group/ - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2 0
2011-10-12 04:55:15 10.10.10.20 OPTIONS /templates.user - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 200 0 0 15
2011-10-12 04:55:15 10.10.10.20 PROPFIND /templates.user - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2 0
2011-10-12 04:58:53 10.10.10.20 OPTIONS /SysVol/<company domain>/Policies/{342671BC-3BA8-4A16-3DB7-C2BA9060F772}/User/Scripts/Logoff - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 200 0 0 15
2011-10-12 04:58:53 10.10.10.20 PROPFIND /SysVol/<company domain>/Policies/{342671BC-3BA8-4A16-3DB7-C2BA9060F772}/User/Scripts/Logoff - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2 0
2011-10-12 04:58:53 10.10.10.20 PROPFIND /SysVol/<company domain>/Policies/{342671BC-3BA8-4A16-3DB7-C2BA9060F772}/User/Scripts - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2 0
2011-10-12 04:58:55 10.10.10.20 PROPFIND /SysVol/<company domain>/Policies/{342671BC-3BA8-4A16-3DB7-C2BA9060F772}/User/Scripts/Logoff/LogoffScript.vbs - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2 0
2011-10-12 04:58:55 10.10.10.20 PROPFIND /SysVol/<company domain>/Policies/{342671BC-3BA8-4A16-3DB7-C2BA9060F772}/User/Scripts/Logoff - 80 - 10.10.10.125 Microsoft-WebDAV-MiniRedir/6.0.6002 404 0 2 0

Anyone out there know what might be generating these requests? It doesn't appear to be WSUS related, perhaps Sharepoint?

Solution 1:

Seems like you've got a wacky client system trying to use WebDAV instead of SMB to access GPO files in sysvol - coincidence that it appeared on this domain controller, since it has IIS running from that old WSUS install.

In Network Connections, Advanced menu -> Advanced Settings, make sure the "Web Client" provider is below the normal options in the provider order.

Or just disable the Web Client service. But, yeah, feel free to strip IIS from this DC - the WebDAV attempts are failing anyway (for good reason), so it's not like you'll break anything.