When you configure a Web site with the server extensions,
security will be managed through the server extensions. There are several
places in the Web site where the anonymous account or some groups with equally
broad membership will have write access. Under normal circumstances, this is
not a problem. This is because the only way to write to the site is by using
FrontPage, which forces authentication before access is allowed. When you also
have an FTP site configured to use the same file path and to allow anonymous
access to the FTP site, the situation changes.
↑ Back to the top
If both anonymous and write access are allowed to the FTP
site, those folders to which the anonymous account has write access can be used
as a storage location, without the site owner having knowledge of this.
Sensitive files, such as the Global.asa file, which can contain passwords in
clear text, will be exposed.
NOTE: This is not a security problem with the server extensions. They
are not designed to work in this type of environment.
↑ Back to the top
For a list of permissions settings for the directories and
files that contain the FrontPage Server Extensions, visit the following
Microsoft Web sites:
↑ Back to the top