Security Issues with FrontPage

Combining Server Extension security with Internet Information Services and Windows NT or Windows 2000 security will help any administrator sleep better at night. The Server Extensions provide administrative access, authoring access, and browse access using existing accounts or groups. All access to a FrontPage Web is based on the access control lists (ACLs) for each file and folder within the extended Web.

The Server Extensions use ACLs for implementing security in Internet Information Services. These ACLs are available only to files and directories on an NTFS partition, so it is imperative that the Web sites be stored on an NTFS partition. The Server Extensions also modify ACLs of system DLLs resulting from a Server Extension DLL call. The system DLLs need the correct permissions for administrators, authors, and end users for the extended Web to function correctly. This section explains how the Server Extensions authenticate users in Internet Information Services.

When an administrator or author uses the FrontPage client for any operation that uses the Server Extensions, a POST request is sent using a Remote Procedure Call (RPC) protocol. This is layered over HTTP and HTML. The administrative requests are sent to the Admin.dll, while the authoring requests are sent to the Author.dll. When a visitor accesses the Web site from a Web browser and the Server Extensions are required to fulfill the request, the browser sends a POST request to the browse-time Server Extension program, Shtml.dll. An example of this would be submitting a search form or returning form results via email.

When a request requires the Server Extensions, Internet Information Services logs on, impersonates the user, and passes the request first to the Admin.dll, then to the Author.dll, and finally to the Shtml.dll. The Server Extensions .dll then validates the impersonation against the ACLs on the root of the extended Web or subweb. This check is done using Windows NT or Windows 2000 system calls. If the permissions are verified, the request is fulfilled; otherwise, a "permission denied" message is returned from Internet Information Services. This happens whether the request comes from the FrontPage client or a Web browser.

Internet Information Services supports three basic types of authentication. The process for fulfilling the Server Extensions requests depends upon the authentication method(s) specified in Internet Information Services.

• Anonymous access. When Allow Anonymous is selected as the authentication method, the requesting user is validated against the Windows NT or Windows 2000 account database using the anonymous account specified in Internet Information Services. If the access permissions are not allowed, a "401—Access Denied" error is returned. If the ACLs are specified to allow anonymous access, the request is accepted.

• Basic authentication. Basic authentication is used to authenticate users—in this case, the Server Extensions administrator or authors—if this authorization scheme is selected in Internet Information Services. Basic authentication prompts the user for a login ID and password and sends this information over HTTP in a clear text format. Using basic authentication, the user logging on needs to have the right to log on locally. If the user does not have this privilege, the login will fail.

• Integrated Windows authentication. Integrated Windows authentication is more secure than basic authentication. This method tries to authenticate the user by using the login and password on the local computer of the requesting user. The credentials are verified without ever sending the password over the Internet. Again, just as with the other methods, if the user is authenticated against the ACLs, then that user are granted access; otherwise, the login fails and access is denied.

Integrated Windows authentication is the most secure method of authorization and thus is my recommendation, but it requires certain client operating systems and browsers. Basic authentication is the next most secure, but it does pass the user's password in clear text across the Internet. Anonymous access simply provides no security at all. For more details on these authorization methods, refer to Chapter 4.