This article was previously published under Q293512
This article has been archived. It is offered "as is" and will no longer be updated.
When you configure a Web site with the server extensions, security will be managed through the server extensions. There are several places in the Web site where the anonymous account or some groups with equally broad membership will have write access. Under normal circumstances, this is not a problem. This is because the only way to write to the site is by using FrontPage, which forces authentication before access is allowed. When you also have an FTP site configured to use the same file path and to allow anonymous access to the FTP site, the situation changes.
If both anonymous and write access are allowed to the FTP site, those folders to which the anonymous account has write access can be used as a storage location, without the site owner having knowledge of this. Sensitive files, such as the Global.asa file, which can contain passwords in clear text, will be exposed.
NOTE: This is not a security problem with the server extensions. They are not designed to work in this type of environment.
For a list of permissions settings for the directories and files that contain the FrontPage Server Extensions, visit the following Microsoft Web sites: