Psst! Did you know DevelopmentNow is a mobile web site design agency?

Contact us for help mobilizing your site, or to sign up for our beta Mobile Web SDK!
all groups > iis security > march 2006 >

iis security : IIS 5 allows anonymous editing via Frontpage


Tim100873
3/27/2006 5:12:01 PM
Greetings,
We are running IIS 5, and have run the lockdown tool (2.1) using the FPEx
template. We have noticed that anyone that opens the website inside
Frontpage can edit the contents of all websites on this server without being
prompted for a password. We hope this is a simple misconfiguration issue
and not an undocumented feature. Any advice you may have will be greatly
appreciated. At present, we have turned off the Authoring feature on all our
websites. This is not ideal, but effective for the moment. Thanks for any
suggestions.
Tim100873
3/27/2006 5:16:02 PM
Greetings again,
We are searching for a solution other than just upgrading to IIS 6. This
would be great, but at this time unfeasible.
Tim

[quoted text, click to view]
Roger Abell [MVP]
3/28/2006 5:35:44 AM
It sounds like you are storing the website content on FAT instead
of NTFS volume

[quoted text, click to view]

Tim100873
3/28/2006 8:11:02 PM
Hi,

I verified the sites are on NTFS, and All three groups - Authors, Admins,
and Browsers are present in Computer Manager as groups for each site.

If I leave enable Authoring checked on the Server Extensions tab for each
site, then no developer can attach to the sites to work on, but if I leave it
enabled, anyone on the planet can load the sites and do whatever they want
with them.

Thanks,
Tim

[quoted text, click to view]
Ken Schaefer
3/28/2006 9:51:58 PM
a) Which versions of the FPSE are you using on the server?

b) Assuming FPSE2000 (which ships with IIS5) then when you enabled FPSE on
the websites in question, you would have been prompted to create three local
groups. If you didn't create those groups (either via the wizard or
manually) you will experience the symptoms you see. Rerun the wizard and
create the groups

c) Assuming you did create the groups, verify what groups are members of the
Authors group

Cheers
Ken


[quoted text, click to view]
: Greetings again,
: We are searching for a solution other than just upgrading to IIS 6. This
: would be great, but at this time unfeasible.
: Tim
:
[quoted text, click to view]
:
: > Greetings,
: > We are running IIS 5, and have run the lockdown tool (2.1) using the
FPEx
: > template. We have noticed that anyone that opens the website inside
: > Frontpage can edit the contents of all websites on this server without
being
: > prompted for a password. We hope this is a simple misconfiguration
issue
: > and not an undocumented feature. Any advice you may have will be
greatly
: > appreciated. At present, we have turned off the Authoring feature on
all our
: > websites. This is not ideal, but effective for the moment. Thanks for
any
: > suggestions.
: >

Roger Abell [MVP]
3/29/2006 6:23:53 AM
Then you need to verify what account(s) are in the authoring group, and
that the browse group is not used to give excess NTFS permissions.
Also, check members of any other group that has NTFS grants that
are equal or more liberal than what is given to the authors group.
Is saying check the members I mean check not in the FP admin page
but in the computer management (compmgmt.msc)

One quick way out of this might be to use the selection in All Tasks
to revert the FP web to a VDir. This should get rid of all traces of
FrontPage grants. Then, delete the auto-generated groups. Perhaps
then also set permissions on the content from the top inherited to all
(such as Administrators Full, IUsr_ Read). Finally then convert it
back to a FP web and grant authorship using the FP admin page.
If this is the entire site, not just a web, one could do the same thing
except one extends the site and has a little more work to do to
revert to an unextended site compared to use of revert FP web to
VDir task. At that point, if one needed to remove from site, I would
consider uninstall of the FP2000 extensions and then have only the
FP2002 extensions installed.

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about iis security
AddThis Social Bookmark Button
View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008