|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS 5 allows anonymous editing via FrontpageGreetings,
We are running IIS 5, and have run the lockdown tool (2.1) using the FPEx template. We have noticed that anyone that opens the website inside Frontpage can edit the contents of all websites on this server without being prompted for a password. We hope this is a simple misconfiguration issue and not an undocumented feature. Any advice you may have will be greatly appreciated. At present, we have turned off the Authoring feature on all our websites. This is not ideal, but effective for the moment. Thanks for any suggestions. Greetings again,
We are searching for a solution other than just upgrading to IIS 6. This would be great, but at this time unfeasible. Tim Show quoteHide quote "Tim100873" wrote: > Greetings, > We are running IIS 5, and have run the lockdown tool (2.1) using the FPEx > template. We have noticed that anyone that opens the website inside > Frontpage can edit the contents of all websites on this server without being > prompted for a password. We hope this is a simple misconfiguration issue > and not an undocumented feature. Any advice you may have will be greatly > appreciated. At present, we have turned off the Authoring feature on all our > websites. This is not ideal, but effective for the moment. Thanks for any > suggestions. > a) Which versions of the FPSE are you using on the server?
b) Assuming FPSE2000 (which ships with IIS5) then when you enabled FPSE on the websites in question, you would have been prompted to create three local groups. If you didn't create those groups (either via the wizard or manually) you will experience the symptoms you see. Rerun the wizard and create the groups c) Assuming you did create the groups, verify what groups are members of the Authors group Cheers Ken Show quoteHide quote "Tim100873" <Tim100***@discussions.microsoft.com> wrote in message news:B50AA93F-BE8D-4BC2-811E-F80F66AECA9F@microsoft.com... : Greetings again, : We are searching for a solution other than just upgrading to IIS 6. This : would be great, but at this time unfeasible. : Tim : : "Tim100873" wrote: : : > Greetings, : > We are running IIS 5, and have run the lockdown tool (2.1) using the FPEx : > template. We have noticed that anyone that opens the website inside : > Frontpage can edit the contents of all websites on this server without being : > prompted for a password. We hope this is a simple misconfiguration issue : > and not an undocumented feature. Any advice you may have will be greatly : > appreciated. At present, we have turned off the Authoring feature on all our : > websites. This is not ideal, but effective for the moment. Thanks for any : > suggestions. : > It sounds like you are storing the website content on FAT instead
of NTFS volume Show quoteHide quote "Tim100873" <Tim100***@discussions.microsoft.com> wrote in message news:A7DC80EB-663B-4D2A-A8AC-DF2D1D2629C4@microsoft.com... > Greetings, > We are running IIS 5, and have run the lockdown tool (2.1) using the FPEx > template. We have noticed that anyone that opens the website inside > Frontpage can edit the contents of all websites on this server without > being > prompted for a password. We hope this is a simple misconfiguration issue > and not an undocumented feature. Any advice you may have will be greatly > appreciated. At present, we have turned off the Authoring feature on all > our > websites. This is not ideal, but effective for the moment. Thanks for > any > suggestions. > Hi,
I verified the sites are on NTFS, and All three groups - Authors, Admins, and Browsers are present in Computer Manager as groups for each site. If I leave enable Authoring checked on the Server Extensions tab for each site, then no developer can attach to the sites to work on, but if I leave it enabled, anyone on the planet can load the sites and do whatever they want with them. Thanks, Tim Show quoteHide quote "Roger Abell [MVP]" wrote: > It sounds like you are storing the website content on FAT instead > of NTFS volume > > "Tim100873" <Tim100***@discussions.microsoft.com> wrote in message > news:A7DC80EB-663B-4D2A-A8AC-DF2D1D2629C4@microsoft.com... > > Greetings, > > We are running IIS 5, and have run the lockdown tool (2.1) using the FPEx > > template. We have noticed that anyone that opens the website inside > > Frontpage can edit the contents of all websites on this server without > > being > > prompted for a password. We hope this is a simple misconfiguration issue > > and not an undocumented feature. Any advice you may have will be greatly > > appreciated. At present, we have turned off the Authoring feature on all > > our > > websites. This is not ideal, but effective for the moment. Thanks for > > any > > suggestions. > > > > > Then you need to verify what account(s) are in the authoring group, and
that the browse group is not used to give excess NTFS permissions. Also, check members of any other group that has NTFS grants that are equal or more liberal than what is given to the authors group. Is saying check the members I mean check not in the FP admin page but in the computer management (compmgmt.msc) One quick way out of this might be to use the selection in All Tasks to revert the FP web to a VDir. This should get rid of all traces of FrontPage grants. Then, delete the auto-generated groups. Perhaps then also set permissions on the content from the top inherited to all (such as Administrators Full, IUsr_ Read). Finally then convert it back to a FP web and grant authorship using the FP admin page. If this is the entire site, not just a web, one could do the same thing except one extends the site and has a little more work to do to revert to an unextended site compared to use of revert FP web to VDir task. At that point, if one needed to remove from site, I would consider uninstall of the FP2000 extensions and then have only the FP2002 extensions installed. Show quoteHide quote "Tim100873" <Tim100***@discussions.microsoft.com> wrote in message news:B6FE3F42-4036-4DA2-9BA8-669DF2C3A6D0@microsoft.com... > Hi, > > I verified the sites are on NTFS, and All three groups - Authors, Admins, > and Browsers are present in Computer Manager as groups for each site. > > If I leave enable Authoring checked on the Server Extensions tab for each > site, then no developer can attach to the sites to work on, but if I leave > it > enabled, anyone on the planet can load the sites and do whatever they want > with them. > > Thanks, > Tim > > "Roger Abell [MVP]" wrote: > >> It sounds like you are storing the website content on FAT instead >> of NTFS volume >> >> "Tim100873" <Tim100***@discussions.microsoft.com> wrote in message >> news:A7DC80EB-663B-4D2A-A8AC-DF2D1D2629C4@microsoft.com... >> > Greetings, >> > We are running IIS 5, and have run the lockdown tool (2.1) using the >> > FPEx >> > template. We have noticed that anyone that opens the website inside >> > Frontpage can edit the contents of all websites on this server without >> > being >> > prompted for a password. We hope this is a simple misconfiguration >> > issue >> > and not an undocumented feature. Any advice you may have will be >> > greatly >> > appreciated. At present, we have turned off the Authoring feature on >> > all >> > our >> > websites. This is not ideal, but effective for the moment. Thanks for >> > any >> > suggestions. >> > >> >> >> 
Other interesting topics
HTTP_AUTHORIZATION header
IIS6 'forgets' "Connect As" password for Virtual Directory Is there a way of downloading .cer files like you would do with .doc or .MP3 Passing form credentials to windows security DMZ and Domains 403 (Forbidden) after setting up SSL Redirect Single authentication for multiple IIS 6 servers Cannot connect to Web Server from Different Domain Multiple SSL certs on virtual servers - again IIS Manager Closes Unexpectedly |
|||||||||||||||||||||||
