FP97: Minimum NTFS File Permission Requirements (162144)



The information in this article applies to:

  • Microsoft FrontPage 97 for Windows with Bonus Pack

This article was previously published under Q162144

SUMMARY

The security architecture of the Microsoft Internet Information Server (IIS) relies on the Windows NT File System (NTFS). This article describes minimum NTFS access permissions required to run FrontPage 97 and which permissions are altered during installation or when you run Check Installation from the FrontPage 97 Server Administrator.

MORE INFORMATION

NOTE: References to Shtml.dll, Author.dll, or Admin.dll apply equally to their CGI counterparts, Shtml.exe, Author.exe, and Admin.exe, on IIS 1.x servers. FrontPage only edits access control lists (ACLs); it does not change file access permissions of accounts not listed in the following section.

File Permissions Assigned by Check Installation

Check Installation is a feature of the FrontPage 97 Server Administrator (Fpsrvwin.exe) that you can run to correct problems in NTFS permissions. When you run Check Installation, permissions are set on the files as follows:

Windows NT directory:
   \WINNT\Frontpg.ini
      INTERACTIVE: Read (R)
      NETWORK: Read (R)

   \WINNT\System\Fp20htp.dll
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System\Fp20tl.dll
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System\Fp20txt.dll
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System\Fp20utl.dll
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System\Fp20wel.dll
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System32\Infoadmn.dll
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System32\Mfc40.DLL
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System32\Msvcrt40.DLL
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System32\Netapi32.DLL
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System32\Netrap.dll
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System32\Rpcltc1.DLL
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System32\Samlib.DLL
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \WINNT\System32\Wsock32.DLL
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)
				
Microsoft FrontPage Installation Directory:

NOTE: FrontPage is installed to one of the following directories by default: C:\Program Files\Microsoft FrontPage or C:\Microsoft FrontPage.
   \Microsoft FrontPage\Servsupp
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \Microsoft FrontPage\Servsupp\Fp20msft.dll
      INTERACTIVE: Read (RX)
      NETWORK: Read (RX)

   \Microsoft FrontPage\Servsupp\Servers.cnf
      INTERACTIVE: Special Access (R)
      NETWORK: Special Access (R)

   \Microsoft FrontPage\Bin
      INTERACTIVE: List (RX)(Not Specified)
      NETWORK: List (RX)(Not Specified)

   \Microsoft FrontPage\Bin\Fp20vss.dll
      INTERACTIVE: Read (RX)
      NETWORK: Read (RX)

   \Microsoft FrontPage\Bin\Fpext*.msg
      (only if files are present for multi-language support)
      INTERACTIVE: Read (RX)
      NETWORK: Read (RX)

   \Microsoft FrontPage\Isapi\ 
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \Microsoft FrontPage\Isapi\_vti_bin
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \Microsoft FrontPage\Isapi\_vti_bin\Shtml.dll
      INTERACTIVE: Read (RX)
      NETWORK: Read (RX)

   \Microsoft FrontPage\Isapi\_vti_bin\_vti_adm\ 
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \Microsoft FrontPage\Isapi\_vti_bin\_vti_adm\Admin.dll
      INTERACTIVE: Read (RX)
      NETWORK: Read (RX)

   \Microsoft FrontPage\Isapi\_vti_bin\_vti_aut\ 
      INTERACTIVE: Read (RX)(RX)
      NETWORK: Read (RX)(RX)

   \Microsoft FrontPage\Isapi\_vti_bin\_vti_aut\Author.dll
      INTERACTIVE: Read (RX)
      NETWORK: Read (RX)

   \Microsoft FrontPage\Temp
      INTERACTIVE: Special Access (RWX)(RWX)
      NETWORK: Special Access (RWX)(RWX)

   \Microsoft FrontPage\Temp\Frontpg.lck
      INTERACTIVE: Special Access (RW)
      NETWORK: Special Access (RW)
				
Web Content Area:

When you run Check Installation on an existing FrontPage web, the files and directories in the content root directory are modified. No changes are made to NTFS permissions in FrontPage subwebs. The minimum access permissions required in FrontPage subwebs are set by duplicating the permissions in the following list on all "_vti_*" directories and the files stored within these directories. In addition, you need to set read permissions on Shtml.dll for browsers, Author.dll for authors, and Admin.dll for administrators. The following list assumes that your web content is stored in \Inetpub\Wwwroot.
   \Inetpub
   (all directories enclosing the content root grant list permissions
    to these accounts)
      INTERACTIVE:List (RX)(Not Specified)
      NETWORK: List (RX)(Not Specified)

   \Inetpub\Wwwroot
      INTERACTIVE: List (RX)(Not Specified)
      NETWORK: List (RX)(Not Specified)

   \Inetpub\Wwwroot\_vti_pvt
      INTERACTIVE: Change (RWXD)(RWXD)
      NETWORK: Change (RWXD)(RWXD)

   \Inetpub\Wwwroot\_vti_pvt\botinfs.cnf
      INTERACTIVE: (RWX)
      NETWORK: (RWX)

   \Inetpub\Wwwroot\_vti_pvt\bots.cnf
      INTERACTIVE: (RWX)
      NETWORK: (RWX)

   \Inetpub\Wwwroot\_vti_pvt\services.cnf
      INTERACTIVE: (RX)
      NETWORK: (RX)

   \VSS\Win32\Ssapi.dll (If Visual SourceSafe 5 is installed)
      INTERACTIVE: (RX)
      NETWORK: (RX)

   \VSS\Win32\Ssxx.dll where xx represents the country code. For example,
   Ssus.dll, which is the default if no other country code is present,
   represents the United States. (If Visual SourceSafe 5 is installed.)
      INTERACTIVE: (RX)
      NETWORK: (RX)
				

Additional File Permissions Assigned by Installation

File permissions are assigned to the following list of files when FrontPage is installed. This list combined with the previous list demonstrate the changes made when you install FrontPage on the server.

NOTE: This list assumes that the built-in NT Administrators and System groups already have full control over the entire drive, and that the IUSR_<hostname> account is granted read access to the web content before FrontPage is installed.

FrontPage assumes that an account with read access to the web content requires read access after installation. Such accounts become end users of the web content. IUSR_<hostname> is only granted access if it had access to the files at installation time. You can substitute "all user accounts with read access to the web content" in place of IUSR_<hostname>. Regardless of what access permissions these accounts had prior to installation, they are normalized to the access permissions described in the following list during the installation process. The installing account is explicitly given administrator rights throughout the content area even though they are already an administrator. (NOTE: You need to be an NT Administrator to successfully run the FrontPage Server Administrator.)

Microsoft FrontPage Installation Directory:

NOTE: FrontPage is installed to one of the following directories by default: C:\Program Files\Microsoft FrontPage or C:\Microsoft FrontPage.
   \Microsoft FrontPage\Temp\_x_todo.htm
      INTERACTIVE: Special Access (RWX)
      NETWORK: Special Access (RWX)
				
Web Content Area:
   \Inetpub\Wwwroot
      IUSR_<host_name>: Special Access (RWXD) (RWD)
      The Installing Account: Special Access (RWXD) (RWD)

   All Browsable Content
      IUSR_<host_name>: Special Access (RWD)

   \Inetpub\Cgi-Bin
      IUSR_<host_name>: Special Access (RWXD)(RWD)
      The Installing Account: Special Access (RWXD) (RWD)

   \Inetpub\Wwwroot\_vti_log
      IUSR_<host_name>: Special Access (RWXD) (RWD)
      The Installing Account: Special Access (RWXD) (RWD)

   \Inetpub\Wwwroot\_vti_pvt
      IUSR_<host_name>: Special Access (RWXD) (RWD)
      The Installing Account: Special Access (RWXD) (RWD)

   \Inetpub\Wwwroot\_vti_pvt\Access.cnf
      IUSR_<host_name>: Special Access (RWD)
      The Installing Account: Special Access (RWD)

   \Inetpub\Wwwroot\_vti_pvt\Doctodep.btr
      IUSR_<host_name>: Special Access (RWD)
      The Installing Account: Special Access (RWD)

   \Inetpub\Wwwroot\_vti_pvt\Deptodoc.btr
      IUSR_<host_name>: Special Access (RWD)
      The Installing Account: Special Access (RWD)

   \Inetpub\Wwwroot\_vti_pvt\Httpconf.lck
      IUSR_<host_name>: Special Access (RWD)
      The Installing Account: Special Access (RWD)

   \Inetpub\Wwwroot\_vti_pvt\Service.cnf
      IUSR_<host_name>: Special Access (RWD)
      The Installing Account: Special Access (RWD)

   \Inetpub\Wwwroot\_vti_pvt\Services.org
      IUSR_<host_name>: Special Access (RWD)
      The Installing Account: Special Access (RWD)

   \Inetpub\Wwwroot\_vti_pvt\Svcacl.cnf
      IUSR_<host_name>: Special Access (RWD)
      The Installing Account: Special Access (RWD)

   \Inetpub\Wwwroot\_vti_pvt\uniqperm.cnf
      IUSR_<host_name>: Special Access (RWD)
      The Installing Account: Special Access (RWD)

   \Inetpub\Wwwroot\_vti_txt
      IUSR_<host_name>: Special Access (RWXD) (RWD)
      The Installing Account: Special Access (RWXD) (RWD)

   \Inetpub\Wwwroot\_vti_bin
      IUSR_<host_name>: Read (RX)(RX)
      The Installing Account: Read (RX)(RX)

   \Inetpub\Wwwroot\_vti_bin\Shtml.dll
      IUSR_<host_name>: Read (RX)
      The Installing Account: Read (RX)

   \Inetpub\Wwwroot\_vti_bin\_vti_aut
      The Installing Account: Read (RX)(RX)

   \Inetpub\Wwwroot\_vti_bin\_vti_aut\author.dll
      The Installing Account: Read (RX)

   \Inetpub\Wwwroot\_vti_bin\_vti_adm
      The Installing Account: Read (RX)(RX)

   \Inetpub\Wwwroot\_vti_bin\_vti_adm\Admin.dll
      The Installing Account: Read (RX)

   \Inetpub\Wwwroot\_vti_cnf
      IUSR_<host_name>: Special Access (RWXD) (RWD)
      The Installing Account: Special Access (RWXD) (RWD)

   \Inetpub\Wwwroot\_private
      IUSR_<host_name>: Special Access (RWXD) (RWD)
      The Installing Account: Special Access (RWXD) (RWD)
				

Changes in Permissions Required by FrontPage 1.1

IUSR_<hostname> now only has RX to all executable directories (_VTI_*) thereby closing a security hole. This is a change from FrontPage 1.1. In FrontPage 1.1, the IUSR_<hostname> account was granted Full Control to the _vti_bin directory and Shtml.exe. If an intruder had the IUSR_<hostname> password and logged into the machine they would have write permission in an executable directory. FrontPage 1.1 itself NEVER allowed any clients to write into the _vti_bin directory, so the security threat was only from other means of access to the web server file system. Now that the IUSR_<hostname> account is only granted RX to the _vti_bin, this potential hole is sealed. It is no longer necessary to be an NT Administrator to administer webs using FrontPage Explorer.

Modification Type:MajorLast Reviewed:8/10/2001
Keywords:kbenv kbinfo KB162144