Using Security Features in FrontPage

Providing Security on a FrontPage-extended Web

Whether you are administering Web sites on an intranet or the Internet, the two main security issues are:

• Preventing unauthorized users from modifying a Web site or server computer.
• Preventing unwanted or bug-ridden programs and scripts from running on the server computer.

There are users who, with malicious intent, might try to gain access to a Web site. They might, for example, try to add to, change, or delete its content. Microsoft FrontPage provides a way to permit only certain users to browse, author, or administer a Web site.

A program or script can run on a server computer for a number of reasons. For example, marking a folder as executable can allow a program to run. HTML pages can themselves contain embedded controls, scripts, utilities, and other programs that can cause a program to run. And form handlers introduce the risk that users can submit commands from within form fields, thus causing programs to run. FrontPage has security settings that help prevent unauthorized programs from running on a server computer.

Top

Authenticating users and setting permissions

The two main ways to provide security are to authenticate users and give them permissions. Authentication is the process a system uses to verify that a user has authorization to enter the system. For example, when a user logs on to a computer running Microsoft Windows NT Server, the operating system compares the user’s name and password against an authorized list of user accounts that is maintained in Windows NT Server.

Permissions is the set of authorizations that specify what an authenticated user can do in a system. In the case of FrontPage, permissions specify which users can browse, author, and administer a FrontPage-extended web.

Just how FrontPage, Windows NT Server, and Microsoft Internet Information Server (IIS) work together to authenticate users and give them permissions forms the core of the FrontPage security strategy. That strategy enables you to:

• Set permissions based on a user’s role: administrator, author, or browser.
• Set permissions on individual files and folders.
• Allow or prevent authors from uploading executable scripts and programs.
• Require authors to use the Secure Sockets Layer (SSL) protocol.
• Enable or disable authoring.
• Log authoring actions.

Top

Applying role-based permissions in FrontPage

FrontPage provides the tools for setting permissions for three different categories of users. You can set permissions for:

• Web site visitors, to whom you give browsing permission.
• Authors, to whom you give authoring permission.
• Administrators, who can create, rename, and delete subwebs, as well as manage permissions.

Permissions are hierarchical: A user with administrative permissions has authoring and browsing permissions. A user with authoring permissions has browsing permissions.

By default, the permissions you set for a FrontPage-extended web are inherited by all the subwebs below it. You can, however, set unique permissions for a subweb that override the permissions inherited from the parent web.

By using FrontPage tools, you can set only role-based permissions and only on a FrontPage-extended web or nested subweb. You can’t use FrontPage tools to set permissions on files and folders. You can, however, use Windows NT Server to manually set permissions on files and folders, but that requires you to override FrontPage permissions.

Top

See also

You can also use FrontPage Server Extensions to provide security on UNIX operating systems. For more information, see the Front Page Server Extensions Resource Kit Web site at http://www.microsoft.com/frontpage/wpp/serk/.