Administering Security with Office Server Extensions

Setting Permissions on Web Sites

You can configure the types of actions that users can perform after they are authenticated on your OSE-extended web. There are four categories of users.

Note   You can configure user permissions only if your Web site is located on an NTFS-formatted disk.

When you use the Microsoft Office Server Extensions (OSE) Configuration Wizard to install OSE on a Web site, the wizard creates a Microsoft Windows NT group for each category of users. The following list identifies the user group names:

• group_prefix Browsers
• group_prefix Collaborators
• group_prefix Authors
• group_prefix Admins

  where group_prefix is a text label you provide to the wizard that defaults to the name of the Web site.

When you want to add a user to a category, use the User Manager application to add that user Windows NT account to the Windows NT group. For example, if you add a user account to the group_prefix Browsers group, that account automatically gains browsing access to the Web site.

When OSE is installed on a Web site, the Microsoft FrontPage Server Extensions are automatically installed. A Web site with OSE installed is called an OSE-extended web. Each OSE-extended web maintains its own list of users in the four user categories.

You can create FrontPage-extended webs under the root OSE-extended web, and FrontPage-extended webs can be nested within other FrontPage-extended webs. Each FrontPage-extended web under the root OSE-extended web maintains its own list of Administrators, Authors, and Browsers groups — making a web a convenient way to differentiate user access while maintaining the other settings of the root web. User names associated with each group are stored separately in their respective webs. However, only one Collaborators group is used for the root OSE-extended web, and all the FrontPage-extended webs beneath it.

If you are just getting started using Microsoft Internet Information Server (IIS) and OSE, you probably do not need to worry about multiple Web sites. By default, IIS Setup creates one Web site with the description Default Web Site. When you install OSE, the default Web site becomes the root OSE-extended web.

The Configuration Wizard creates the four local Windows NT groups that correspond to the four categories of user privileges. By default, everyone has access to the Collaborators group, but you must add users to the other appropriate groups. Later, if you need to subdivide your OSE-extended web and give the same users different access to different content, you can create subwebs, or additional root OSE-extended webs. However, the OSE collaboration features work only with URLs that use the standard HTTP port (80). You cannot extend OSE-extended webs that use nonstandard ports, but you can extend any Web site with Microsoft FrontPage Server Extensions.

Top

Enforcing permissions with NTFS access control lists

To grant Browsers, Collaborators, Authors, or Administrators permissions, the OSE Configuration Wizard adds the four Windows NT groups to the access control lists (ACLs) of the folders and files of the root OSE-extended web. The wizard also gives each group the appropriate type of access to folders and files. In addition, the Collaborators, Authors, and Administrators groups are added to the ACL of the MSOffice virtual directory that the Configuration Wizard creates. The following table shows the permissions that each of these groups has.

You do not need to view or modify the ACLs directly because the wizard does this automatically. When you configure permissions with the FrontPage administration tools, you need only to specify that each user is in the Browsers, Authors, or Administrators category. The FrontPage tools do not manage the Collaborators group or recognize the Collaborators category. You can use the User Manager application to modify the Collaborators group membership and the other group lists.

The following administration tools modify the ACLs to assign permissions to FrontPage-extended web users.

• Fpsrvadm.exe
• Fpremadm.exe
• FrontPage Server Extensions Administrator snap-in
• FrontPage Server Extensions Administration forms

The administration tools automatically assign the following types of access to each of the Windows NT groups. (These settings are added to the ACL of the root folder of the Web.)

Note   The Windows NT Administrators group and the system account have full control access to all files.

Top

Granting permissions to computers

In addition to granting permissions to specific users, you can grant permissions to specific computers. Every computer on the Internet or an intranet uses the TCP/IP network protocol and has an IP address. By using the FrontPage client, you can use an IP address to identify a computer, and you can grant Browsers, Authors, or Administrators permissions to that computer.

Top

Managing permissions more precisely

Permissions for content on an OSE-extended web typically apply to the entire OSE-extended web. For example, a user with authoring permission can change any page on the web, and a user with browser permission can view any page.

Although the OSE Configuration Wizard creates groups that make it easy to modify permissions on the FrontPage-extended web as a whole, it is often necessary to divide content on a server so that different users have different permissions in each area of the web.

You have two mechanisms for setting varied permissions on content.

• Divide the content into as many FrontPage-extended subwebs as there are sets of browsers, authors, or administrators.
• Set varying permissions on the folders and files of a single FrontPage-extended web. This option requires that you bypass the built-in FrontPage tools for setting permissions.

Using subwebs to set mixed permissions

When you use subwebs, you automatically achieve more controlled security than without subwebs because each subweb maintains separate security settings. Also, using subwebs to set mixed permissions on your content is usually the most efficient way to divide your content among different sets of browsers and authors.

Managing permissions manually

You can bypass the built-in security features of FrontPage, and manually set permissions on the content of a FrontPage-extended web. This option allows you to set permissions on a per-folder or per-file basis, and that gives you precise control of security for the FrontPage-extended web. However, if you set permissions manually, you must manage the ACLs yourself.

When you manage ACLs manually, you must modify the ACLs in the top-level folder of the FrontPage-extended web. At a minimum, you must give administrators Read, Write, and Change permissions on the top-level folder of the FrontPage-extended web or subweb.

Caution   Managing ACLs manually is an advanced technique, and mismanaging can result in weakened security for the content on your Web server.

Top

See also

For the procedure you need to use to manage permissions manually on a FrontPage-extended web, see How to Configure Security on Your OSE-extended Web.

You can use several tools to manage permissions on FrontPage-extended webs. For more information about using the tools, see Advanced Administration of Office Server Extensions.