What are "Microsoft Office Protocol Discovery" and "OfficeLiveConnector" and why do they access invalid URLs?

ms-office

I monitor 404s on my sites closely which helps me detect broken links and hacking attempts but I've recently been getting log spam from browsers with these strings in the User Agent. They seem to be trying to scan parent directories of valid resources but directories have special meaning to my sites due to SEO rewriting.

Before I decide what to do about it I'd like to know what these UAs are trying to do and why. If it's just "noise" I'd be happy to drop the connection entirely otherwise if they do something useful I could provide an appropriate response.

I believe some of the requests are from my clients so I can't do anything too disruptive, as much as I'd like to.


Microsoft has a kb article (link currently broken, Internet Archive snapshot) that covers Protocol Discovery in fine detail. Essentially, Office is trying to determine if your server supports WebDAV (or something like it) so that changes the user makes to the Office document can be pushed back directly to the server.


On servers I have to maintain, this seems to occur due to html e-mail using external images hosted on our servers.

It looks like Microsoft Office Outlook clients, which uses Microsoft Word for editing e-mail (and for viewing them since 2007 edition), trigger those "Microsoft Office Protocol Discovery" requests.

In my case, web sites without any kind of online contribution, I see that as annoying noise. If your site is some kind of sharing site with documents editing capabilities, you may not consider those requests as annoying noise, depending on your site implementation.


This worked for me:

# Intercept Microsoft Office Protocol Discovery
RewriteCond %{REQUEST_METHOD} ^(OPTIONS|PROPFIND)$ [NC]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ Office\ Protocol\ Discovery [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ Office\ Existence\ Discovery [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\-WebDAV\-MiniRedir.*$
RewriteRule .* - [R=501,L]

I assume your site serves the occasional office document - that's what is root cause of this issue normally. You can probably avoid the calls by telling office not to bother trying to find out if saves are possible.

This can be done by amending the Content-Disposition header in the served office document. I had this problem when it was set to:

Content-Disposition=inline; filename="<my file name>"

By changing it to Attachment, the calls were avoided:

Content-Disposition=Attachment; filename="<my file name>"

I host a regular, non-WebDAV, non-SharePoint website. Because of Microsoft Office Protocol Discovery I see many errors from failed requests in my log files. To eliminate these I recommend disabling WebDAV style requests by disabling the HTTP methods it uses, beginning with OPTIONS. This also increases security by avoiding certain HTTP attacks.

I am using Apache 2.4, I recommend the following in httpd.conf:

<Location />
    # block HTTP methods: OPTIONS PUT DELETE TRACE CONNECT PATCH
    AllowMethods GET POST HEAD
</Location>

See Apache 2.4 Reference

Related

What is the significance of the ProgramData folder in Windows?
scala, guidelines on return type - when prefer seq, iterable, traversable
What is the difference between Spring REST service, Jersey REST service and Spring+Jersey solutions?
C#: Perform Operations on GPU, not CPU (Calculate Pi) [closed]
Open-source: licence header on each source file OR a single COPYING OR both? [closed]
Symfony 2.0 step by step tutorial required [closed]
Two Git repositories share common code
node.js server and HTTP/2 (2.0) with express.js
Bash command to check if Oracle or OpenJDK java version is installed on Linux
What is R's multidimensional equivalent of rbind and cbind?
API Endpoint Semantics
NodeJS vs Play Framework for large project