|
Home > Archive > IIS Server Security > April 2006 > Security of Webpage
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Security of Webpage
|
|
| pcsmitpra 2006-04-02, 7:33 pm |
| I am running a website, and found any one can access its data via MS
Frontpage. Where is the lack, it is not asking for password while opening the
page and showing my whole directory structure. I use Internet explorer to
check it. I have reset IIS permissions but it does not works. Thanks for reply
| |
| Ken Schaefer 2006-04-02, 7:33 pm |
| What do you mean "they can open it in Frontpage"?
Do you mean that they can make changes, and save it back to the server?
Or they can just open the page for editing?
The former means you have a security misconfiguration.
The latter just means that they downloaded the HTML (same as a browser), and
they can edit it on their local machine, but if they try to save it back to
the server they'd need to supply a username/password
Cheers
Ken
"pcsmitpra" <pcsmitpra@discussions.microsoft.com> wrote in message
news:216A17E1-F109-4326-98EC-800F4B391713@microsoft.com...
:I am running a website, and found any one can access its data via MS
: Frontpage. Where is the lack, it is not asking for password while opening
the
: page and showing my whole directory structure. I use Internet explorer to
: check it. I have reset IIS permissions but it does not works. Thanks for
reply
| |
| pcsmitpra 2006-04-02, 7:33 pm |
| They can make changes and even save them to server, Please its URGENT!!!
Thanks for reply.
| |
|
| the only thing that is 'URGENT' here is for you to turn off that machine
until you have learned enough to properly secure it. if it is exposed to
the internet you can already assume it has been compromised and might as
well plan on flattening it and starting over.
"pcsmitpra" <pcsmitpra@discussions.microsoft.com> wrote in message
news:80264A4D-8042-4725-9D69-CE71891A7D99@microsoft.com...
> They can make changes and even save them to server, Please its URGENT!!!
> Thanks for reply.
| |
| Ken Schaefer 2006-04-02, 7:33 pm |
| What version of IIS are you using? And what version of FPSE (Frontpage
Server Extensions) do you have installed on the server?
If you have IIS 5.0 and FPSE 2000 (the version that shipped with FPSE), when
you choose to enable a website with FPSE using the IIS MMC, you are prompted
to create three security groups. If you did not create these groups (either
via the wizard, or manually) you will see the symptoms you describe.
If you did create the groups, then check the membership of the FP Authors
and Administrators groups.
Cheers
Ken
"pcsmitpra" <pcsmitpra@discussions.microsoft.com> wrote in message
news:80264A4D-8042-4725-9D69-CE71891A7D99@microsoft.com...
: They can make changes and even save them to server, Please its URGENT!!!
: Thanks for reply.
| |
| pcsmitpra 2006-04-11, 9:53 am |
| Thanks Ken,
I am using IIS6.0 and FP 5.0, on Win2003 server.
| |
| Ken Schaefer 2006-04-11, 9:53 am |
| So, did you create the three user groups when prompted by the wizard?
Cheers
Ken
--
IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken
"pcsmitpra" <pcsmitpra@discussions.microsoft.com> wrote in message
news:D0169EF6-0D69-405E-810C-B08E5EE28A8D@microsoft.com...
: Thanks Ken,
: I am using IIS6.0 and FP 5.0, on Win2003 server.
| |
| pcsmitpra 2006-04-11, 9:53 am |
|
I am using default user and user group, have not created any new user. The
setting for anonymous user login in IIS is checked but I used my a/c and
password there also.
| |
| Ken Schaefer 2006-04-11, 9:53 am |
| Please re-read what I wrote.
When you right-click the website in IIS Manager, and choose to configure
Frontpage Server Extensions 2000, the wizard asks you whether you want to
create three local groups. You have to have the wizard create those groups
(or you need to create them manually).
If you didn't create those groups, then you will see the symptoms you
describe (anyone can edit any of your webpages)
Please read the FPSE 2000 security documentation, where this is all
explained.
Cheers
Ken
--
IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken
"pcsmitpra" <pcsmitpra@discussions.microsoft.com> wrote in message
news:269F3A23-5644-4532-AC2C-497045895549@microsoft.com...
:
: I am using default user and user group, have not created any new user. The
: setting for anonymous user login in IIS is checked but I used my a/c and
: password there also.
|
|
|
|
|