Everything to lose

June 2002

By Barbara Sehr

Applies to
Microsoft FrontPage® 2002

Failure to monitor your online permissions could be the last lapse for your business.

A long time ago, in a tourist mecca in the shadows of the U.S. Northeast's highest mountain, my mother was a very generous proprietor of a modest restaurant. At times, it seemed to these young eyes that my mother's trusted employees would help themselves to food, cigarettes, and even alcohol. It was only when a few enriched themselves from the 19th-century cash drawer that my mother's guard went up.

We live in a far different world today, whether you're running a corporation or the smallest of businesses. Even that little sign over my mother's cash register—In God We Trust, All Others Pay Cash—has become outdated. Few pay cash anymore, especially when we do business online. We are all hooked together in a vulnerable network of commerce that rapidly transmits numbers and identities before you can say, "Stop, thief!"

Before you decided to host your business in cyberspace, before you bought the Microsoft FrontPage Web site creation and management tool, chances are you examined your business plan. You decided who your audience was, and you decided just what it would take to make your emerging online presence successful.

Even if you weren't that careful going into business, you should make sure that you are more careful now so that you can stay in business. In this world, it is no longer a matter of employees or customers helping themselves to a candy bar or pack of cigarettes. Online, security is just another word for "everything to lose."

Helping protect yourself is as easy as using FrontPage

You might say, "I know everything there is to know about custom jewelry, but I bought FrontPage primarily because I don't want to bother with programming my Web site." Don't worry. There are some easy things you can do to help protect yourself.

You probably know about the cyberspace equivalent of "never talk to strangers." You help protect your site by maintaining antivirus software—making sure it is updated at frequent intervals. You know to keep files and databases under virtual lock and key. You would never lock your valuables behind a door that can be opened with a swift kick.

Yet many online businesses still rely on passwords as simple as "password" or "fluffy" or "fido." Others still use passwords that were put in place when the business began and remained long after a number of employees familiar with those passwords went on to greener pastures. Your personal passwords do not have to be 20 characters long, but every degree of complexity—combining uppercase and lowercase letters, numbers, and symbols—adds another layer of hard steel to your online lockbox of information.

To understand security in FrontPage, you should understand the weapons used by online criminals and joyriders who break into your information simply because they can. The hotwires in any Web site or online presence (such as e-mail) are "scripts." For example, FrontPage Server Extensions are scripts. Scripts are basic instructions to the computer to perform an action. You use them to get people to sign up for newsletters or send you feedback about your site. Intruders use them as a guided missile to penetrate your security.

Over the years, much has been done to protect the scripts within FrontPage Server Extensions. However, seatbelts installed in a car don't protect you unless you use them properly. Intruders who break into your online presence are not usually as dumb as the street criminal who writes a holdup note on the back of his own deposit slip. That's why when you set permissions in scripts—whether they are programmed in Perl, Common Gateway Interface (CGI), or the Microsoft Visual Basic® development system—you need to give each script as little administrative power as possible. (For more information on administering FrontPage Server Extensions, see Administer, Author, and Browse.)

How do you set permissions?

There are two ways to set permissions. First, you can set overall permissions for the entire site by going to the top level of the site. Second, you can set permissions for a sublevel site. For instance, there may be some trusted employees who have access to your entire business. There may be others who require access only to the room where cleaning supplies are kept. In between are other variations of access. The same holds true on your Web site. All employees may have the ability to read an online handbook, while only one or two have the right to make changes.

To set permissions in FrontPage 2002

  1. On the Tools menu, click Server, and then click Permissions.
  2. In the Permissions dialog box, click the user or group you want to change. There are several types of permissions here, ranging from Administrate to Author and Browse. A browser can only read the pages on your site. Administrate grants permission to do anything on your site—including making changes in content and structure. You probably want to save this role for someone who has a fiduciary interest in your business. You can grant permissions to individual users or groups of users (for example, all who have filled out a registration form).

Warning    If your site is hosted on someone else's server, you may notice some variation in these controls. The host is likely to have administrative rights that you can't control by nature of the host role. (The host may shut down your site for nonpayment, for instance).

  1. Select the user whose permission you want to change.
  2. Select the check boxes next to the roles you want to assign to a particular user.
  3. Click Submit.

Remember that each level of user or group is granted all rights of any of the levels below his or her status. That means "authors" (those who have permission to write to the site) have the rights of browsers.

Be careful in establishing and maintaining these permissions. Responsibilities can change quickly in business. Make a list of permissions and check it two or even three times a week.

Chances are you may not know all the "doors" that exist on your computer. Every time you load an operating system or a program like FrontPage, you may be creating a "port" for processes (like transferring your files through File Transfer Protocol) that you never use. Be cautious in running "typical" installations that often create unnecessary ports that are vulnerable to intruders. In these days of cheap disk space, it's all too easy to run installation programs and fill your systems with all kinds of entry paths you don't need. If you are not aware that a door exists, chances are you are not taking security precautions.

Do you know where your doors are?

Microsoft has created a new diagnostic tool that can measure your vulnerability and give you an opportunity to close these frequently ignored areas before an intruder can make use of them. The free Microsoft Baseline Security Analyzer is available for download. The program runs on the Microsoft Windows® XP, Windows 2000, and Windows NT® operating systems.

If you had this kind of security power in your real life, imagine how much safer you'd feel. If there were a password you could develop that would help protect you and your children from the pitfalls of society to a high degree of certainty, it wouldn't matter to you how difficult it was to maintain and how complex it was to remember.

Some of us, however, remain trusting and generous like my mother. The restaurant, the free food, and the antique cash drawer have long faded into retirement. Still, my mother recently suffered another downside to her trusting nature. A virus on her home computer treated her to a daily display of pornography every time she turned her system on.

Her newly reformatted hard disk now features a major antivirus application.

Barbara Sehr is a Seattle-based freelance writer who has written on operating systems and storage systems for national computer magazines that include Datamation, ComputerWorld and Digital News. She has also written technical documents for software companies, including Microsoft Corporation.