IIS Server Security - Frontpage Server Extensions and Security

Author

Frontpage Server Extensions and Security

Charles Otstot

2004-02-17, 11:34 pm

I recall seeing an article some time back in the IIS (4 or 5) security
guidelines that MS best practices recommended not installing FPSE on a
production server. I have searched for the article (I know I should have
saved it) to no avail.
Does anybody else recall the article and (hopefully) have a link?
Also, does anyone know whether this recommendation still holds in IIS 5.0
with FPSE 2002 and whether it holds with IIS 6.0 on 2003?

Thanks,
Charlie

Jeff Cochran

2004-02-18, 12:34 am

On Wed, 18 Feb 2004 07:53:42 -0500, "Charles Otstot"
<saries@notmyreal.address.com> wrote:

>I recall seeing an article some time back in the IIS (4 or 5) security
>guidelines that MS best practices recommended not installing FPSE on a
>production server. I have searched for the article (I know I should have
>saved it) to no avail.
>Does anybody else recall the article and (hopefully) have a link?
>Also, does anyone know whether this recommendation still holds in IIS 5.0
>with FPSE 2002 and whether it holds with IIS 6.0 on 2003?

The basis is that any time you add services, you add another potential
hole. FPSE has a number of features that can be abused, and the
security relies on strong passwords and account settings, adding
another dimension to the needed knowledge of an admin.

That said, sometimes you need the functionality. That means you
accept and deal with the security issues. Small things, like only
allowing access to the admin page from inside your firewall, can go a
long way to securing the system. Forcing FTP uploads instead of using
FPSE's "publish" features, not using FPSE unique features, not using
WebDAV and so on will make it more secure.

The best method I've found is to use FPSE but restrict any publishing
to inside your firewall or through VPN's. I don't allow many of FP's
"features" like the discussion forms, which can be open to abuse. But
you don't get to do VS.NET development without FPSE, so you're kind of
stuck. Of course, only allowing FPSE on your development server and
not the production server can also help.

Jeff

Charles Otstot

2004-02-18, 2:34 am

"Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message
news:40376d18.580284184@msnews.microsoft.com...
> On Wed, 18 Feb 2004 07:53:42 -0500, "Charles Otstot"
> <saries@notmyreal.address.com> wrote:
>
>
> The basis is that any time you add services, you add another potential
> hole. FPSE has a number of features that can be abused, and the
> security relies on strong passwords and account settings, adding
> another dimension to the needed knowledge of an admin.
>
> That said, sometimes you need the functionality. That means you
> accept and deal with the security issues. Small things, like only
> allowing access to the admin page from inside your firewall, can go a
> long way to securing the system. Forcing FTP uploads instead of using
> FPSE's "publish" features, not using FPSE unique features, not using
> WebDAV and so on will make it more secure.
>
> The best method I've found is to use FPSE but restrict any publishing
> to inside your firewall or through VPN's. I don't allow many of FP's
> "features" like the discussion forms, which can be open to abuse. But
> you don't get to do VS.NET development without FPSE, so you're kind of
> stuck. Of course, only allowing FPSE on your development server and
> not the production server can also help.
>
> Jeff

Jeff,

Agreed on all counts.

What I am looking for is an older document that backs up exactly your final
scenario (and the scenario I'm trying to retain, assuming previous
recommendations still hold true with FPSE2002)..ie. allowed on dev, not on
production. MS had (still has??) a notation in one of their IIS Security
documents (I think it was the old Best Practices document) precisely that
verbiage, that FPSE should be installed on test/development servers but NOT
production servers.

I would expect the same recommendation to hold with FPSE2002 as with older
revisions, I'm just hoping that MS still has it documented so that I can
present MS documentation when asked what they (MS) recommend.

Charlie

Roger Abell

2004-02-25, 10:34 am

I do not believe you will find a current doc. The issues are
too embarrassing. If you want to build a case, the one that
Jeff did not mention is FPSE2002 settings of NTFS permissions.

I am not informed of your content environment, but allowing
FPSE can break write isolation between webs, and then allowing
dynamic publishing of not necessarily trusted code means that
authors can exploit the rather pervasive read granted by FPSE.
To build you case just examine the grants made to Network and
to Interactive. If Asp.Net is enabled the combination with FPSE
permissioning gets magnified, but then use of Asp.Net with
untrusted code is not recommended anyway.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Charles Otstot" <saries@notmyreal.address.com> wrote in message
news:u0HexVj9DHA.1632@TK2MSFTNGP12.phx.gbl...
>
> "Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message
> news:40376d18.580284184@msnews.microsoft.com...
have[color=darkred]
5.0[color=darkred]
>
> Jeff,
>
> Agreed on all counts.
>
> What I am looking for is an older document that backs up exactly your
final
> scenario (and the scenario I'm trying to retain, assuming previous
> recommendations still hold true with FPSE2002)..ie. allowed on dev, not on
> production. MS had (still has??) a notation in one of their IIS Security
> documents (I think it was the old Best Practices document) precisely that
> verbiage, that FPSE should be installed on test/development servers but
NOT
> production servers.
>
> I would expect the same recommendation to hold with FPSE2002 as with older
> revisions, I'm just hoping that MS still has it documented so that I can
> present MS documentation when asked what they (MS) recommend.
>
> Charlie
>
>