|
|
Microsoft FrontPage 2000 Server Extensions Resource
Kit
Security on Windows NT
 4 of 9  Access Control List Settings
The FrontPage Server Extensions administration tools — the Fpsrvadm and Fpremadm utilities, the FrontPage Server Extensions MMC Snap-in, and the FrontPage Server Extensions HTML Administration Forms — modify the ACLs for files and folders when the administrator of a FrontPage-extended web uses these tools. Also, the FrontPage client sets ACLs at authoring time. For example, when an author creates a new folder or page in a FrontPage-extended web, the FrontPage client sets the ACLs on the new page or folder.
The set of ACLs for a FrontPage-extended web is listed in the following table. The first column identifies the type of folder or file on which the ACLs are set. The second column describes the ACL setting on that file or folder. The third column applies only to folders. It describes the ACL settings for new content that is created in that folder by an author or administrator who is using the FrontPage client.
Table 1 Permissions for the Content of a FrontPage-Extended web on IIS
Web folder or content |
Access control list setting |
Setting on new content created within the folder |
| Top-level folder of root web or subweb |
site visitors:
read, execute
authors:
read, execute,
write, delete
administrators:
read, execute,
write, delete,
change permissions |
site visitors:
read
authors:
read, write,
delete
administrators:
read, write,
delete,
change permissions |
| A folder of a web below the top-level folder |
site visitors:
read
authors:
read, execute,
write, delete
administrators:
read, execute,
write, delete, change permissions |
site visitors:
read
authors:
read, write,
delete
administrators:
read, write,
delete,
change permissions |
| Executable folder |
Making a folder executable does not change the current ACL. |
Making a folder executable adds execute permissions for site visitors, authors, and administrators to the current ACL. |
| Folder containing form results |
If a folder contains discussion group or database form handler results, FrontPage adds write permissions for site visitors to the current ACL. |
If a folder contains discussion group or database form handler results, FrontPage adds write permissions for site visitors to the current ACL. |
| FrontPage _vti_pvt folder |
site visitors:
read, execute,
write, delete
authors:
read, execute,
write, delete
administrators:
read,
execute, write,
delete,
change permissions |
site visitors:
read, write,
delete
authors:
read, write,
delete
administrators:
read,
write, delete,
change permissions |
| FrontPage _vti_log folder |
site visitors:
read, execute,
write, delete
authors:
read, execute,
write, delete
administrators:
read, execute,
write, delete,
change permissions |
site visitors:
read, write,
delete
authors:
read, write,
delete
administrators:
read, write,
delete,
change permissions |
| FrontPage _vti_txt folder |
site visitors:
read, execute,
write, delete
authors:
read, execute,
write, delete
administrators:
read, execute,
write, delete,
change permissions |
site visitors:
read, write,
delete
authors:
read, write,
delete
administrators:
read, write,
delete,
change permissions |
| content files |
site visitors:
read
authors:
read, write,
delete
administrators:
read, write,
delete,
change permissions |
- |
| Files in folder containing form results |
Adds write permissions for site visitors to the current ACL. |
- |
When an administrator sets the ACLs for a FrontPage-extended web using the FrontPage client's Permissions command, FrontPage displays the Windows NT computer account list by default. You can set up a restricted list of users and groups that does not expose the entire contents of the Windows NT computer and domain account lists. This lets you protect the confidentiality of your user community. For details, see Restricting Windows NT Account Lists.
- FrontPage grants full control to all files (all) (all) for members of the Windows NT Administrators group and the SYSTEM account.
- FrontPage adds execute permissions for site visitors, authors, and administrators to folders that are marked with an executable virtual root. The execute permission is allowed only if the Allow authors to upload executables check box is selected in the Properties dialog box for the FrontPage-extended web. See FrontPage MMC Snap-in for details. If this setting is off for a FrontPage-extended web (which is the default), execute permissions will never be applied, and the default content permissions will be used even if the directory is marked as executable. In IIS 2.0 and IIS 3.0, the execute permission affects all files in a directory, including DLLs, executable files, and interpreted scripts such as .asp and .pl files. On IIS 4.0 and later, the execute permission affects only DLLs and executable files, and, depending on the server configuration, may not affect interpreted script files.
- The form results folder setting is used by FrontPage only on files that contain the results of a form that uses the default form handler. For a discussion form handler, this setting is placed on the directory for that discussion.
- If the Anonymous browsing allowed check box is selected in the FrontPage client's Permissions dialog box, anonymous browsing for a web is implemented. This is done by adding the anonymous account IUSR_machinename, with read permission, to the ACLs for all files in the web.
|
 |
