By David Berry
|Microsoft FrontPage® 2002
Manage your Web server security with Microsoft FrontPage.
The Internet may be the vanguard of technology, but when it comes to online protection, many businesses might as well be in the Stone Age. It's surprisingly easy for hackers to download customer information, sabotage your systems, or even infiltrate your company's internal networks—unless you take the proper steps to help protect yourself. To help, Microsoft has published the Ten Immutable Laws of Security to help customers understand the core elements of a security strategy.
The great value of the Internet is that it is a wide area network (WAN) that connects together a multitude of computers and networks across the world. This is also the greatest security risk to the internal networks of small businesses. The Internet is not only a way for network users to access outside information; it is also an avenue through which data stored on network computers is exposed to other devices that are connected to the Internet. Hosting Web sites, even on an intranet, opens your host computer to a wider community of users.
Security is a critical area that every Webmaster and Web publisher should understand. Whether you’re creating a Web site for your corporate intranet, an extranet, or the Internet, you need proper security controls in place. Security controls help manage who can access the Web server and what permissions they have when they do. Fortunately, Microsoft FrontPage 2002 has built-in security features that can assist you in deploying a security-enhanced Web site.
Using FrontPage security
FrontPage addresses security issues by using the built-in security mechanisms of the host computer. Using FrontPage Server Extensions requires no changes to the host computer's security method. You do not have to recompile any Web server programs, and there are no custom filters or other security modifications.
FrontPage security provides the top-level security control for anyone accessing, authoring, or administering a FrontPage Web site. If users pass through this layer of security, they are still subject to Web server and operating system security controls. Fortunately, if you work with Microsoft Internet Information Services (IIS), the Web server built into the Windows® 2000 Server operating system, you’ll find that Web server and operating system security have been closely integrated in many different areas. You can help maintain security at the FrontPage level through FrontPage Server Extensions; therefore, this article does not discuss operating system security or Web server security in detail. Instead it focuses on FrontPage-specific security features.
You can use FrontPage to help control roles and user access to your FrontPage Webs or subwebs only if you have installed or upgraded SharePoint™ Team Services from Microsoft or FrontPage Server Extensions on your Web server. The typical permissions you can assign include the ability to view content (Browse), publish Web pages (Author), and administer the Web site (Administer). But are those enough? For more details about these categories, see Users, Groups and Roles in FrontPage or SharePoint Team Services.
Administering your FrontPage Web
When you install SharePoint Team Services or FrontPage 2002 Server Extensions, HTML Administration pages are installed on an administration port. You can launch the administration screens at any time from the Server Extensions Administrator or the Internet Services Manager. To administer FrontPage Server Extensions from IIS:
- Open IIS and expand the console tree until you see your Web site, typically called Default Web Site.
- Right-click your Web site and choose Properties.
- In the Properties dialog box, click the Server Extensions 2002 tab.
- Click the Settings button.
When you click the Settings button, you’ll be taken to the Web-based administration pages that will allow you to manage various settings for your Web site, including users, roles, and rights. Alternately, you can access these pages by opening your browser and typing http://servername:port/fpadmdll.dll (typically port 8947).
Setting a list of available rights
In addition to the predefined FrontPage roles, you can create your own roles and assign a list of available rights for a role to an individual user. You can get to this screen from the main Server Administration page that appears when you administer the FrontPage Server Extensions from IIS or by typing (typically port 8000 or 8947) in your browser.
The two main levels of rights are Web Design rights and Web Administration rights. To enable a right, check the box next to the right name; to disable a right, clear the box. You also can use the Select All box to enable or disable all of the rights. This new feature allows you detailed flexibility and control of your Web server.
Security and source control
You can also help control who can access and edit your Web site by using the following features in FrontPage:
- User accounts and roles User accounts help you control how users access the Web site. Users can be assigned to groups with various permissions (on Web servers running Microsoft FrontPage 2000 Server Extensions or earlier) or assigned roles with varying degrees of access to the site (on Web servers running FrontPage 2002 Server Extensions from Microsoft or SharePoint Team Services). You can create accounts that allow access to the Web site only, or you can use existing network server or domain accounts.
- Subwebs A sub-web is a complete Web site located in a subfolder of the root Web site or another subweb. Just like a root Web site, a subweb is based on SharePoint Team Services or FrontPage 2002 Server Extensions from Microsoft. Subwebs can be used to manage the folder structure of the files in your Web site and set limitations on who can access those files. Each subweb can be maintained by a different owner and have separate security settings from the parent Web site.
- Source control FrontPage provides built-in source control that helps protect the file so that only one person at a time can edit a file. You can enable source control if you have administrator privileges and your Web server is running FrontPage Server Extensions or SharePoint Team Services.
Although you can use FrontPage to provide different levels of security, Web server and operating system security often come into play in determining which users have access to the server and what rights they have. Will FrontPage alone ensure that your server is secure? No. In addition to FrontPage security, it’s important to look at all the different aspects of network and server security— such as firewalls, virus protection, and the latest security patches and server updates—to help protect your Web site and your company’s data. A good place to start is to sign up for the Microsoft Security Notification Service so you’ll always have the latest information about potential security threats, available patches, virus alerts, and informative articles on security strategies.
David Berry has an extensive background in technical and IT skills, Web site design work, application development, and technical support with over 17 years of diverse experience with government and federal agencies as well as competitive business markets. He is also a Microsoft Certified Professional and has been a Microsoft FrontPage Most Valuable Professional (MVP) since 1999. David co-authored Microsoft FrontPage 2002 Unleashed, Microsoft FrontPage 2000 Unleashed, and Microsoft Windows 2000 Professional Unleashed.