Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Description of FTP and anonymous access with the server extensions installed


View products that this article applies to.

This article was previously published under Q293512

↑ Back to the top


Summary

When you configure a Web site with the server extensions, security will be managed through the server extensions. There are several places in the Web site where the anonymous account or some groups with equally broad membership will have write access. Under normal circumstances, this is not a problem. This is because the only way to write to the site is by using FrontPage, which forces authentication before access is allowed. When you also have an FTP site configured to use the same file path and to allow anonymous access to the FTP site, the situation changes.

↑ Back to the top


More information

If both anonymous and write access are allowed to the FTP site, those folders to which the anonymous account has write access can be used as a storage location, without the site owner having knowledge of this. Sensitive files, such as the Global.asa file, which can contain passwords in clear text, will be exposed.

NOTE: This is not a security problem with the server extensions. They are not designed to work in this type of environment.

↑ Back to the top


References

For a list of permissions settings for the directories and files that contain the FrontPage Server Extensions, visit the following Microsoft Web sites:

↑ Back to the top


Keywords: KB293512, kbhowto, kbinfo, kbconfig, kbsecurity, kbftp

↑ Back to the top

Article Info
Article ID : 293512
Revision : 6
Created on : 7/6/2007
Published on : 7/6/2007
Exists online : False
Views : 469