FrontPage Security Best Practices

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

 

Mary Burk

Mess Enterprises

June 2002

Summary:   Learn some basic techniques for protecting Web sites created in Microsoft FrontPage. Mary Burk provides a list of best practices to seal up and lock down FrontPage sites. The practices discussed include Web server settings, file system security, and FrontPage Server extensions.

Contents

INTRODUCTION
Windows NT and IIS Security

INTRODUCTION

We all know Web sites get broken into. We also know there are numerous processes you can put into place to lock down a Web site and prevent it from being infiltrated. Every beginning Webmaster tasked with securing a Web site can benefit from a best practices guide. This review will help get you started. Use these suggestions to protect your Microsoft® FrontPage Web® site, and deter all those pesky hackers.

**Note   **This article describes security for the Microsoft Windows NT® Server operating system, Internet Information Server (IIS) version 4.0 or later, and an installation of FrontPage 2002 Server Extensions on an IIS Web server. For information about security practices under UNIX and/or Apache for FrontPage, please refer to the For More Information section at the end of this article.

Windows NT and IIS Security

There are many security tools in Windows NT Server and Internet Information Services(IIS). These tools, such as NT user authentication, server certificates, and Secure Sockets Layer (SSL), to mention just a few, will help you prevent unwanted access.

Authentication

Authentication takes many forms and offers varying degrees of security advantages. A combination of authentication schemes and permissions on your server file system and the Web server's standard configuration combine to work with one another without conflict.

  • Anonymous authentication is the most basic way to control access to your Web. Your IIS Web server creates an anonymous user called IUSR_computername to allow it access to Web services running on the server. When a Web site visitor requests a page on your Web site, the server receives the request and presents the page.
  • Basic authentication, such as user name and password, does not require special access through firewalls and guarantees that your Web site will be available to most Web browsers. Basic authentication transmits user names and passwords in an unencrypted ASCII format, therefore, it can be easily decoded. However, if you combine basic authentication with SSL, you are adding a layer of encryption to the authentication text being transmitted, thus masking your users' access information when snoops attempt to monitor your Web site traffic.
  • Integrated Windows authentication, also referred to as the Windows NT challenge response, can encrypt user names and passwords for multiple requests and transaction interactions between the client visitor and Web server. One disadvantage to this solution is that it does not work with all browsers, most notably Netscape. However, a combination of basic authentication and Windows authentication can help to keep your Web-accessible data secure and available to a larger Web visitor audience.
  • Digest access authentication is similar to basic authentication, except that a user name and password are transmitted in encrypted format. This requires a challenge-response process based on a server-specified data string combination of an algorithm and your username and password. The digest scheme challenges the user with a request for a matching nonce. A nonce is a server-specified data string that can be uniquely generated each time a user tries to access a restricted area on your Web server (commonly known as a 401 error). A nonce contains a checksum of the user name, password, the given nonce value, the Hypertext Transfer Protocol (HTTP) method, and the requested Uniform Resource Locator (URL). When a valid response in this authorization scheme is passed to the server, the algorithm and user information combination receives access to the restricted page or site. Therefore, a password is never sent as easily decoded text. You can configure a nonce value to be different for each requested page and require every user to supply unique nonce values for accessing information on your Web site.

**Note   **This authorization method requires IIS 5.0 or later on the server and Microsoft Internet Explorer 5 or newer on the client computer. Digest access authentication works with domain accounts only. You cannot use digest access authentication with local user accounts.

**Note   **Local security and domain security can be a bit confusing. Local security refers to security for the local machine. Domain security refers to the security of all machines within a network. By default, local user accounts only have rights to the machine they exist on, unless they are also given permissions within a domain. Domain user accounts have rights on the network, but not necessarily any rights on local machines. A user account could have full control over Windows NT Server, yet have no rights on the network. Domain controllers do not have local user accounts because the accounts they carry are domain accounts, which provide a higher level of access by default.

  • Certificate authentication, also known as SSL, provides privacy, authentication, and message integrity. By using the SSL protocol, clients and servers can communicate in a way that prevents eavesdropping, tampering, and even message forgery. With Microsoft SharePoint™ Team Services or FrontPage 2002 Server Extensions, SSL ensures secure authoring across firewalls and security during remote administration of SharePoint Team Services or FrontPage 2002 Server Extensions. You can specify that SSL be used when opening a SharePoint team Web site or opening or publishing FrontPage-based Web sites.

When you choose the authentication method that you want to use for your Web server, you will not be able to change the authentication method with SharePoint Team Services or with FrontPage 2002 Server Extensions administration tools. You must use the IIS administration tool for the server to change any previous authentication method that you used before integrating SharePoint Team Services or FrontPage 2002 Server Extensions.

FrontPage 2002 Server Extensions and SharePoint Team Services rely on the Windows operating system to secure the Web file system. Windows NT supports access control lists (ACL) to secure files and folders.

Note ACLs are supported only by the Windows NT File System (NTFS). SharePoint Team Services and FrontPage 2002 Server Extensions security are partially based on ACLs, therefore you must use NTFS on the Windows NT Server that hosts IIS and SharePoint Team Services or FrontPage 2002 Server Extensions.

IP Addresses

Internet Protocol (IP) addresses are a useful way to define access permissions. An IP address is a unique number that identifies a computer on a network. The IP address is always sent along with a page request. Therefore, you can either grant or deny access to your Web site based on the IP address of the requesting party. By selecting Grant Access in the IIS Internet Service Manager, you can grant access to everyone except listed IP addresses. By selecting Deny Access, you can deny access to everyone except a set list of IP addresses.

Firewalls

A firewall is software that examines every packet of data received and transferred from your computer. If a packet is determined to be malicious or a connection is accessing data that it should not be, the firewall will block that packet from going through. Some popular firewall programs include ZoneAlarm, Norton Personal Firewall, and BlackICE. It is strongly suggested that you implement a firewall of some kind on your server to protect your site.

The free ZoneAlarm firewall is installed very easily under Windows NT and offers multiple options for configuring network and application access to the server as well as inactivity locks that block specific servers running locally and over the Internet.

For a home-based Web server or a small network with one static IP address, you may be using a router or hub to provide an internal network IP range or Internet connectivity for the office. Frequently, a router also acts as a firewall for an internal network and a Web server, allowing aliased access to the public Web site running off the internal network. You can use aliased domain name translation to allow visitors access to their correct internal destination.

If your network runs off two network interface cards (NICs) installed on your server, administration settings in a program such as WinRoute will allow you to set up a firewall through the internal network card itself. Configure your network address translation (NAT) router to forward incoming connections to the correct internal IP addresses on the ports where you would like to accept connections on (80, 21, etc). Most importantly, when modifying network settings, make sure that your HTML pages do not contain any absolute paths to your internal IP address. Use relative paths (or variables for machine and port values) to ensure that changes to your network and security scheme tests do not block your users' access.

FrontPage 2002 Server Extensions

FrontPage 2002 Server Extensions allow finer-grained permissions to grant or deny access to through a role-based security model.

SharePoint Team Services and FrontPage 2002 Server Extensions refer to the user-based security model as user roles. With user roles, you do not have to control file and folder permissions separately, or worry about keeping local groups synchronized with your list of Web users. User roles give users permissions in your Web site, and use SharePoint Team Services and FrontPage Server Extensions 2002 administration tools to add new users to the system directly.

FrontPage 2002 also allows you to manage Web sites on a local server, or remotely through HTML Administration pages or a command-line shell interface, grant authoring, browsing, site management, or other user rights to authenticated users, and track errors on the server to help prevent site and server crashes.

FrontPage 2002 Sub-Web Creation and Security

In FrontPage 2002, a sub-Web acts as a Web folder. The following tutorial describes how to set specific permissions and authorizations for a sub-Web:

  1. Open your Web site with FrontPage 2002.

  2. In your root Web, highlight a domain name (or IP address), right-click it, and choose New Folder.

  3. Give your new sub-Web a name.

  4. Right-click your new folder and choose Convert to Web. Once the folder is a sub-Web, you will see a globe on the folder.

  5. Double-click the new sub-Web to enter it.

  6. From the main menu, click Tools, and then select Permissions. If you are prompted for your user name and password, enter them here.

  7. Click Change Permissions.

  8. Select Use Unique Permissions.

    **Note   ** Wait two minutes for the new security settings to update to the server database.

  9. From Permissions, select Manage Users.

  10. Select Add a User. Set a user name and password, and select the role of Browser, then click Submit.

  11. From Permissions, select Change Anonymous Access. Click Off.

  12. Submit your change. This will lock your sub-Web down to either the new user created, or to your admin account.

  13. Publish content to the sub-Web.

You can verify your changes by opening the sub-Web in a browser. Anytime a security change is made to a sub-Web, the change takes two minutes to become effective.

For More Information

It should be clear that we have only scratched the surface of information that you will want to absorb about FrontPage security. Thankfully, the amount of information available on security for your FrontPage Web site is extensive. Here is a list of recommended sites that can help you learn more about Web security issues:

Microsoft TechNet hosts articles about Web security and peer discussion groups for information technology professionals.

The Trusted SystemsWeb site has detailed information that evolved from a one-year research project done for the National Security Agency (NSA).

SANS Institute offers a variety of useful materials including technical papers, posts about security holes and attacks, software tools, links to other great resources, and more.

The Security Administrator site has up-to-date information on security issues in Windows NT and much more.

The RSA Security site is one of those places where the idea of Web security began. If you need information about encryption, this is a good place to look. The site includes some very technical information on encryption, as well as a complete set of common encryption standards.

Mary Burk is the Senior Consultant at Mess Enterprises, a creative software company that offers fun content and Web development services.