Hi,

If you followed the defaults you should be fine:

a) Ensure that all accounts on your computer have passwords. To do this,
right-click on "My Computer" and choose "Manage". Expand the Users and
Groups node, and select the Users folder. For each user account that you
have created, plus the Administrator account, right-click and choose "Set
Password". Make sure you are not use EFS (Encryptable File System), or that
you have the necessary password reset disks etc.

b) Install IIS, including FPSE

c) Goto windowsupdate.microsoft.com and get all the necessary updates

d) Open IIS Manager, right-click on your website, All Tasks, Configure FPSE

e) Add the FPSE extensions, and *ensure* that you choose to create the three
local groups

f) Now, in the Users & Groups section you used previously under Computer
Management (in (a) above), add users into the various groups you created in
(e). Basically, all user accounts who should be able to author documents go
into the Authors group

g) Now, your FPSE publishing is only as secure as your passwords. If you
friend can guess your password, they can still get in - because FPSE has no
idea whether it's really you, or someone pretending to be you :-)

<shameless plug>
Grab my IIS 6.0 security book if you want more information on IIS security
stuff. There's a free chapter on my website: www.adopenstatic.com. The book
deals with IIS 6.0 security, but some of the stuff overlaps with IIS 5.0.
</shameless plug>

Cheers
Ken


[quoted text, click to view]
: I friend today demonstrated how he was able to modify my default page. He
suggested coming here. What/where/how do I need to configure the
permissions in my IIS (in WinXP Pro) such that I can update my pages (using
FP), and allow Internet users to read the pages, yet prevent anyone from
changing them or adding malicous code?

Hi,

a) If you've already added FPSE, you do not have the option to "configure
FPSE" - this option is only there if you have not already added FPSE

b) I have *no* idea what you've done to your system prior to this point. The
instructions below are for setting things up from scratch. If you've
modified other settings, you may have opened other possible methods of
altering content (eg directly via fileshares, via WebDAV etc)

c) You create the FPSE groups using the "Configure FPSE" option. When you
initially added FPSE 2000 you would have been asked if you wanted to create
the 3 local groups. If you replied "yes", then these already exist. You can
check by right-clicking on "My Computer" and choosing "Manage". In the
"Manage Computer" MMC Snapin, there is a node called "Local Users and
Groups", underneath which are both "users" and "groups". If there are groups
called: <machinename> Admins, <machinename> Authors, and <machinename>
Browsers, then these groups have already been created.

Cheers
Ken

[quoted text, click to view]
: Hi Ken,
:
: Thank you for the recommendations. I've done (a) thru (c). For (d), I do
not have an option to configure FPSE - only to check them. I've run the
"check server extensions," asking if I want to make them as tight as
possible. I replied yes and it corrected what ever problems that were
found. I do not have the option to configure or set up groups of users.
I'm running Win XP Pro SP1, IIS 5.1, FP 2003.
:
: Any further recommendations are very welcome. Thank you.
:
: John.
:
[quoted text, click to view]
:
: > Hi,
: >
: > If you followed the defaults you should be fine:
: >
: > a) Ensure that all accounts on your computer have passwords. To do this,
: > right-click on "My Computer" and choose "Manage". Expand the Users and
: > Groups node, and select the Users folder. For each user account that you
: > have created, plus the Administrator account, right-click and choose
"Set
: > Password". Make sure you are not use EFS (Encryptable File System), or
that
: > you have the necessary password reset disks etc.
: >
: > b) Install IIS, including FPSE
: >
: > c) Goto windowsupdate.microsoft.com and get all the necessary updates
: >
: > d) Open IIS Manager, right-click on your website, All Tasks, Configure
FPSE
: >
: > e) Add the FPSE extensions, and *ensure* that you choose to create the
three
: > local groups
: >
: > f) Now, in the Users & Groups section you used previously under Computer
: > Management (in (a) above), add users into the various groups you created
in
: > (e). Basically, all user accounts who should be able to author documents
go
: > into the Authors group
: >
: > g) Now, your FPSE publishing is only as secure as your passwords. If you
: > friend can guess your password, they can still get in - because FPSE has
no
: > idea whether it's really you, or someone pretending to be you :-)
: >
: > <shameless plug>
: > Grab my IIS 6.0 security book if you want more information on IIS
security
: > stuff. There's a free chapter on my website: www.adopenstatic.com. The
book
: > deals with IIS 6.0 security, but some of the stuff overlaps with IIS
5.0.
: > </shameless plug>
: >
: > Cheers
: > Ken
: >
: >
[quoted text, click to view]
: > : I friend today demonstrated how he was able to modify my default page.
He
: > suggested coming here. What/where/how do I need to configure the
: > permissions in my IIS (in WinXP Pro) such that I can update my pages
(using
: > FP), and allow Internet users to read the pages, yet prevent anyone from
: > changing them or adding malicous code?
: >
: >
: >

Hi,

What I suggest you do is the following:

Open IIS Manager, right-click and choose to "remove frontpage server
extensions". Choose the option to keep your metadata in case you wish to
reinstall FPSE

Now, right-click on the website again, and choose to "configure frontpage
server extensions". Go through the wizard, and when it gets to the page
asking if you want to create the local groups *make sure you do*. If you do
not create these groups /anyone/ can change stuff on your website. The only
time you would not create these groups is if you already have FPSE on a
different website on the machine, and you created the groups when you setup
FPSE previously. Since this is your first (and only) website on this
machine, you need to choose to create these groups.

Now, by default, all administrator users are placed into the "Admins" group,
so, your account (assuming it's an admin account) will be able to perform
all administrative functions related to FPSE (including authoring files on
the server). As long as someone doesn't guess that username/password you're
fine.

Cheers
Ken


[quoted text, click to view]
: Hi - Boy, you've exposed me to a whole new dimension of my computers that
I need to understand - which I don't completely. I see the two folders -
users & groups. I do not have a Authors or Browsers group. I have:
Administrators, Backup Operators, Guests, Network Configurators, Power
Users, Remote Desktop Users, Replicator, Users, and HelpServicesSupport.
:
: I take it that when I need to create (author) & publish web pages, I need
to be logged on as one user. The rest of the time, I need to be logged on
as a different user.
:
: So, what do you recommend for a user and group for creating & publishing
web pages, and what do you recommend for a user and group when anonymous
Internet users to access the web pages, be able to click on a button to
execute a command in some home automation S/W, allow remote access w/in the
house from a wireless smart display, yet prevent people from editing the
website and introducing other nasty things?
:
: (BTW - thank you very much for your support so far. I really appreciate
it.)
:
: John.
:
[quoted text, click to view]
:
: > Hi,
: >
: > a) If you've already added FPSE, you do not have the option to
"configure
: > FPSE" - this option is only there if you have not already added FPSE
: >
: > b) I have *no* idea what you've done to your system prior to this point.
The
: > instructions below are for setting things up from scratch. If you've
: > modified other settings, you may have opened other possible methods of
: > altering content (eg directly via fileshares, via WebDAV etc)
: >
: > c) You create the FPSE groups using the "Configure FPSE" option. When
you
: > initially added FPSE 2000 you would have been asked if you wanted to
create
: > the 3 local groups. If you replied "yes", then these already exist. You
can
: > check by right-clicking on "My Computer" and choosing "Manage". In the
: > "Manage Computer" MMC Snapin, there is a node called "Local Users and
: > Groups", underneath which are both "users" and "groups". If there are
groups
: > called: <machinename> Admins, <machinename> Authors, and <machinename>
: > Browsers, then these groups have already been created.
: >
: > Cheers
: > Ken
: >
[quoted text, click to view]
: > : Hi Ken,
: > :
: > : Thank you for the recommendations. I've done (a) thru (c). For (d),
I do
: > not have an option to configure FPSE - only to check them. I've run the
: > "check server extensions," asking if I want to make them as tight as
: > possible. I replied yes and it corrected what ever problems that were
: > found. I do not have the option to configure or set up groups of users.
: > I'm running Win XP Pro SP1, IIS 5.1, FP 2003.
: > :
: > : Any further recommendations are very welcome. Thank you.
: > :
: > : John.
: > :
[quoted text, click to view]
: > :
: > : > Hi,
: > : >
: > : > If you followed the defaults you should be fine:
: > : >
: > : > a) Ensure that all accounts on your computer have passwords. To do
this,
: > : > right-click on "My Computer" and choose "Manage". Expand the Users
and
: > : > Groups node, and select the Users folder. For each user account that
you
: > : > have created, plus the Administrator account, right-click and choose
: > "Set
: > : > Password". Make sure you are not use EFS (Encryptable File System),
or
: > that
: > : > you have the necessary password reset disks etc.
: > : >
: > : > b) Install IIS, including FPSE
: > : >
: > : > c) Goto windowsupdate.microsoft.com and get all the necessary
updates
: > : >
: > : > d) Open IIS Manager, right-click on your website, All Tasks,
Configure
: > FPSE
: > : >
: > : > e) Add the FPSE extensions, and *ensure* that you choose to create
the
: > three
: > : > local groups
: > : >
: > : > f) Now, in the Users & Groups section you used previously under
Computer
: > : > Management (in (a) above), add users into the various groups you
created
: > in
: > : > (e). Basically, all user accounts who should be able to author
documents
: > go
: > : > into the Authors group
: > : >
: > : > g) Now, your FPSE publishing is only as secure as your passwords. If
you
: > : > friend can guess your password, they can still get in - because FPSE
has
: > no
: > : > idea whether it's really you, or someone pretending to be you :-)
: > : >
: > : > <shameless plug>
: > : > Grab my IIS 6.0 security book if you want more information on IIS
: > security
: > : > stuff. There's a free chapter on my website: www.adopenstatic.com.
The
: > book
: > : > deals with IIS 6.0 security, but some of the stuff overlaps with IIS
: > 5.0.
: > : > </shameless plug>
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : >
[quoted text, click to view]
: > : > : I friend today demonstrated how he was able to modify my default
page.
: > He
: > : > suggested coming here. What/where/how do I need to configure the
: > : > permissions in my IIS (in WinXP Pro) such that I can update my pages
: > (using
: > : > FP), and allow Internet users to read the pages, yet prevent anyone
from
: > : > changing them or adding malicous code?
: > : >
: > : >
: > : >
: >
: >
: >

Here's an important start:

www.microsoft.com/technet/security
[look for sections on Windows and IIS]
http://securityadmin.info/faq.asp#harden
http://securityadmin.info/faq.asp#ftpfolder

Note that Win XP and any other Windows workstations are not good web
servers. There is a limit of 10 max concurrent connections, which equals
about two concurrent visitors to your web site max. The only fix is to
upgrade to a server version of Windows, or run Apache on Linux.


[quoted text, click to view]
suggested coming here. What/where/how do I need to configure the
permissions in my IIS (in WinXP Pro) such that I can update my pages (using
FP), and allow Internet users to read the pages, yet prevent anyone from
changing them or adding malicous code?

Hi,

A) In the IIS Manager, on the Directory Security tab, you should leave the
Anonymous User account as IUSR_<machinename>. This account is used by IIS
when someone browsing your website does not supply credentials
(username/password). Provided you have *not* changed any other settings,
this should work fine.

B) To get FPSE web publishing working, you need to get the three FPSE groups
created. These are created when you configure the FPSE extensions. I suggest
you *uninstall* the FPSE extensions (as I suggested), then reinstall them.
When asked if you want to create the three local groups, please choose "yes"

C) After installing the FPSE extensions, right-click on the default website
and choose (as you've done before) to tighten security - this will reset the
NTFS permissions on all the files in your webroot so that publishing will
work properly *and* unauthorised users can not alter your files

D) In step (b), there are three groups created:
<machinename> Admins
<machinename> Authors
<machinename> Browsers

So, if you're machinename is "Starview", the first group will be called
"Starview Admins". You can see these groups in the "Computer Management" MMC
Snapin (My Computer -> right-click and choose Manage -> Users and Groups ->
Groups). You add users to these groups, depending on what permissions you
want to give each user account. Any user that should be able to perform all
FPSE related activiies goes into the Admins group (by default this is any
administrator on the machine). Any user who should just be able to
add/update content on the website does into the Authors group, and anyone
who should just be able to view the FPSE configuration information goes into
the Browsers group.

Now, I do not know *what* things you've changed from the defaults on your
machine. As Jeff has mentioned *if* you just leave the defaults, everything
should work just fine. However, it seems that somethings are wrong, because
your friend was able to change your webpages *and* the FPSE authoring groups
do not exist on your machine *and* you've changing the Anonymous user
account in the IIS Manager. It may be worthwhile going down to your local
bookstore, and buying a book on Frontpage Publishing...

Cheers
Ken


[quoted text, click to view]
: Ken,
:
: Doing as you suggested: A) Helped me see & set up the groups you
mentioned; thank you. B) Is now preventing me from accessing my own remote
web server (IIS) even when I log on as administrator. Do I need to just
uninstall FP & IIS & start over, or do you see a less painful and time
consuming approach I ought to take? BTW, once these groups and users are
set up, I'm unclear on what the configuration needs to be in the directory
security tab in the default web properties (Up until now, I've had to
change the user at this tab from IUSR to administrator for me to be able to
open it in FP; then I'd have to remember to change it back to IUSR when I
was done. Now logging on as an administrator & setting the above to the
administrator user results in FP saying that Sharepoint Services are not
installed & it does not let me in.) HELP.
:
[quoted text, click to view]
:
: > Hi,
: >
: > What I suggest you do is the following:
: >
: > Open IIS Manager, right-click and choose to "remove frontpage server
: > extensions". Choose the option to keep your metadata in case you wish to
: > reinstall FPSE
: >
: > Now, right-click on the website again, and choose to "configure
frontpage
: > server extensions". Go through the wizard, and when it gets to the page
: > asking if you want to create the local groups *make sure you do*. If you
do
: > not create these groups /anyone/ can change stuff on your website. The
only
: > time you would not create these groups is if you already have FPSE on a
: > different website on the machine, and you created the groups when you
setup
: > FPSE previously. Since this is your first (and only) website on this
: > machine, you need to choose to create these groups.
: >
: > Now, by default, all administrator users are placed into the "Admins"
group,
: > so, your account (assuming it's an admin account) will be able to
perform
: > all administrative functions related to FPSE (including authoring files
on
: > the server). As long as someone doesn't guess that username/password
you're
: > fine.
: >
: > Cheers
: > Ken
: >
: >
[quoted text, click to view]
: > : Hi - Boy, you've exposed me to a whole new dimension of my computers
that
: > I need to understand - which I don't completely. I see the two
folders -
: > users & groups. I do not have a Authors or Browsers group. I have:
: > Administrators, Backup Operators, Guests, Network Configurators, Power
: > Users, Remote Desktop Users, Replicator, Users, and HelpServicesSupport.
: > :
: > : I take it that when I need to create (author) & publish web pages, I
need
: > to be logged on as one user. The rest of the time, I need to be logged
on
: > as a different user.
: > :
: > : So, what do you recommend for a user and group for creating &
publishing
: > web pages, and what do you recommend for a user and group when anonymous
: > Internet users to access the web pages, be able to click on a button to
: > execute a command in some home automation S/W, allow remote access w/in
the
: > house from a wireless smart display, yet prevent people from editing the
: > website and introducing other nasty things?
: > :
: > : (BTW - thank you very much for your support so far. I really
appreciate
: > it.)
: > :
: > : John.
: > :
[quoted text, click to view]
: > :
: > : > Hi,
: > : >
: > : > a) If you've already added FPSE, you do not have the option to
: > "configure
: > : > FPSE" - this option is only there if you have not already added FPSE
: > : >
: > : > b) I have *no* idea what you've done to your system prior to this
point.
: > The
: > : > instructions below are for setting things up from scratch. If you've
: > : > modified other settings, you may have opened other possible methods
of
: > : > altering content (eg directly via fileshares, via WebDAV etc)
: > : >
: > : > c) You create the FPSE groups using the "Configure FPSE" option.
When
: > you
: > : > initially added FPSE 2000 you would have been asked if you wanted to
: > create
: > : > the 3 local groups. If you replied "yes", then these already exist.
You
: > can
: > : > check by right-clicking on "My Computer" and choosing "Manage". In
the
: > : > "Manage Computer" MMC Snapin, there is a node called "Local Users
and
: > : > Groups", underneath which are both "users" and "groups". If there
are
: > groups
: > : > called: <machinename> Admins, <machinename> Authors, and

Hi Ken,

Thank you for the time you are spending replying to my posts. I appreciate it. I've removed the FPSE (checking the box to save data in case FPSE are reinstalled) and then configured them. Those groups are set up and I have the Administrator in the HCPC_Admins group. I'm logged on as the Administrator. In reading the uSoft online help for setting web site permissions, when I try to open the web site, URL http://www.remotedirector.com, a message comes back saying "The folder 'http://www.remotedirector.com' is not accessible. The folder may be located in an unavailable location, protected with a password, or the filename contains a / or \." This is really confounding. I do not know of any defaults that I've changed. Any other advice to share other than what you recommended above?

[quoted text, click to view]