FP2000: Security Best Practices for FrontPage 2000

This article shows you several ways to secure Microsoft FrontPage Web content.

Microsoft FrontPage allows you to apply security permissions to the content in your Web by using the Permissions dialog box. (To open the Permissions dialog box, point to Security on the Tools menu, and then click Permissions). With this method, you can apply only one set of permissions to the entire Web or subweb.

In some situations you may need to provide finer levels of security. For example, you may want to apply permissions to individual files and folders in a FrontPage Web. This article shows you how to do this by using a combination of the FrontPage security model and the file-level and folder-level level security permissions available in Microsoft Windows 2000 Server or Microsoft Windows NT 4.0 Server. Methods 1, 2, and 5 in this article show you how to combine FrontPage and Windows security. In addition, this article also shows you how to use FrontPage by itself to secure Web content.

Method 1: Manage Security Permissions in Windows

In this method, you use the FrontPage per-Web level of security, but you do not administer security permissions from the FrontPage Permissions dialog box. Instead, you create user groups in Windows and assign the appropriate FrontPage permissions. Access to the FrontPage Web is controlled through membership in these user groups. To do this, follow these steps:

1. In Windows 2000 or Windows NT 4.0, create the following groups for each FrontPage Web that you create, where Web name is the name of the FrontPage Web:
   Web name Admins
   Web name Authors
   Web name Browsers
2. In Windows 2000 or Windows NT 4.0, add the users that you want to the corresponding groups.
3. Start Microsoft FrontPage 2000, and then open the Web that you want.
4. On the Tools menu, point to Security, and then click Permissions.
5. Remove all groups from the Name list except the Administrators group. To do this, click each group, and then click Remove.
6. Click Add.
7. In the Obtain list from list, click the domain in which you created the new groups.
8. In the Names list, click Web name Admins, click Add>>, click Administer, author, and browse this web, and then click OK.
9. Click Add, click Web name Authors, click Add>>, click Author and browse this web, and then click OK.
10. Click Add, click Web name Browsers, click Add>>, click Browse this web, and then click OK.
11. Click Apply. If you receive a message similar to the following, verify that you want to allow anonymous browser access, and then click OK.
    These groups-DomainWeb name Browsers-contain the account used by your web server to implement Anonymous Logons. Granting these groups access will allow anyone to have this level of access anonymously.
12. Click OK.
13. On the Tools menu, point to Security, and then click Permissions. Verify that the security groups that you want are displayed in the list, and then click Cancel.

To control Browse, Author, and Admin permissions to the FrontPage Web, you can add user accounts to (or remove user accounts from) the newly created security groups in Microsoft Windows 2000 or Windows NT 4.0.

Tips

The following actions prevent users from changing the security configuration from within FrontPage. These actions prevent users from bypassing the Windows 2000 or Windows NT security groups that you create to control access to the Web:

• Restrict membership of the Web name Admins group to local Administrators or Domain Administrators.
• Do not grant FrontPage Administrative privileges to Web content authors.
  
  NOTE: This will prevent FrontPage authors from creating subwebs.

Method 2: Use Modified FrontPage Security Management

Use this method when the FrontPage per-Web security model is sufficient for your security needs, but you want to restrict access to a small number of directories in the Web. For example, you may want to remove anonymous browse access from one directory while maintaining anonymous browse access to the rest of the Web.

To remove anonymous browse access from a specific directory in a Web, remove the IUSR_computer name account from the security settings of that directory (where computer name is the name of the Web server computer). To do this, follow these steps.

Verify Anonymous Browse Access to the Web

1. Start FrontPage, and then open the Web that you want.
2. On the Tools menu, point to Security, and then click Permissions.
3. Click the Users tab.
4. Click Everyone has browse access (if it is not already selected), and then click OK.
5. Proceed to the next steps ("Remove Anonymous Browse Access from a Specific Folder").

Remove Anonymous Browse Access from a Specific Folder

1. On the Web server computer, start Windows Explorer.
2. Navigate to the folder from which you want to remove browse access.
3. Right-click the folder, and then click Properties on the shortcut menu that appears.
4. Click the Security tab, and then click Permissions.
   
   NOTE: In Windows 2000, you do not need to click Permissions.
5. In the Directory Permissions dialog box that appears, click IUSR_computer name (Internet Guest Account), and then click Remove.
6. Click OK twice, and then quit Windows Explorer.

When clients next attempt to browse to the Web content in the restricted folder, they are prompted for their user names and passwords before they are granted access. If they do not provide the correct credentials, they receive the following error message:

Tips

• As long as the Everyone has browse access option remains selected, FrontPage preserves the removal of anonymous access to the directories that you edit the security settings of.
• You can also use this method to restrict individual user accounts from certain directories on a Web in which anonymous access is turned off.
• To allow anonymous browsing to Web content in a folder again, add the IUSR_computer name (Internet Guest Account) to the access control list (ACL) of that folder and to its contents.
• To return the anonymous browse access settings to the default settings, follow these steps:
  1. Start FrontPage, and then open the Web that you want.
  2. On the Tools menu, point to Security, and then click Permissions.
  3. Click the Users tab.
  4. Click Only registered users have browse access, and then click Apply.
  5. Click Everyone has browse access, click Apply, and then click OK.
  6. Quit FrontPage.

Method 3: Use Subwebs to Manage Security

When you use the FrontPage security model in your Web, you can create security boundaries through the use of subwebs. In FrontPage, each subweb can maintain separate security settings. For additional information about creating a subweb and assigning unique permissions, click the article number below to view the article in the Microsoft Knowledge Base:

Tips

• Use subwebs to implement finer (or more granular) security levels.
• Use subwebs to increase performance in large Webs that contain many hyperlinks.
  
  NOTE: The time required to recalculate hyperlinks is directly proportional to the number and size of the documents stored in a single Web.
• The following issue may arise with the use of subwebs. Universal resource locators (URL) that are used to access the Web content may no longer reflect an organizational hierarchy. Therefore, linking between levels of this hierarchy becomes more difficult.

Method 4: Use a Staging Server

For the highest levels of security, create your Web content on an internal Web server and then copy or publish the completed Web to your "production" server. Use the FrontPage security model to manage permissions during the creation of the Web content.

This method has advantage of restricting access to the unfinished Web to authorized individuals. However, some FrontPage components, such as the default FrontPage form handler, become more difficult to configure.

Method 5: Manage Security Manually

In this method, you use the FrontPage security model to initially add a single group of users to whom you want to allow author permissions. This sets authoring permissions on the Microsoft FrontPage Server Extensions dynamic link libraries (DLLs) stored in the Web. After this is done, use Windows Explorer or the command line to edit the security permissions on the files or folders in the Web content directory. To do this, follow these steps.

Create a Group to Author Web Content

1. In Windows 2000 or Windows NT 4.0, create the following group for each FrontPage Web that you create, where Web name is the name of the FrontPage Web:
   Web name WebAuthors
2. In Windows 2000 or Windows NT 4.0, add the users accounts that you want to the WebAuthors group.
3. Start Microsoft FrontPage 2000, and then open the Web that you want.
4. On the Tools menu, point to Security, and then click Permissions.
5. Click the Users tab. Do one of the following:
   • If you want to allow anonymous browse access the Web, click Everyone has browse access.
   • If you do not want to allow anonymous browse access the Web, click Only registered users have browse access.
6. Click the Groups tab.
7. Remove all groups from the Name list except the Administrators group. To do this, click a group, and then click Remove.
8. Click Add.
9. In the Obtain list from list, click the domain in which you created the new group.
10. In the Names list, click Web name WebAuthors, click Add>>, click Author, and browse this web, and then click OK.
11. Click Apply, and then click OK.
12. Quit FrontPage 2000.
    
    NOTE: After you add the initial WebAuthors group, do not use the FrontPage Permissions dialog box to further manage security of the Web content.
13. Proceed to the next steps ("Directly Edit File and Folder Permissions on the Web Content in Windows").

Directly Edit File and Folder Permissions on the Web Content in Windows

Use Windows Explorer or the Cacls.exe or XcAcls.exe command-line utilities to directly edit the file and folder security permissions for the Web content.

WARNING: Do not overwrite the existing permissions on the _vti_* folders (_vti_pvt, _vti_script) in the root directory of the Web. These folders contain configuration data for the entire Web.

Use caution when you select the Replace Permissions on Existing Files or the Replace Permissions on Subdirectories check boxes in the Directory Permissions dialog box. In Windows 2000, verify that the Allow inheritable permissions from parent to propagate to this object and the Reset permissions on all child objects and enable propagation of inheritable permissions check boxes are cleared unless you want to enable those selections.

NOTE: Microsoft recommends that you use the Cacls.exe or XcAcls.exe command-line utilities. With these utilities, you can directly edit the access control list (ACL) of an item.

For additional information about using the command line to edit security permissions, click the article numbers below to view the articles in the Microsoft Knowledge Base:

REFERENCES

For additional information about setting permissions on a Microsoft FrontPage Web, click the article numbers below to view the articles in the Microsoft Knowledge Base: