Description of FTP and anonymous access with the server extensions installed (293512)


The information in this article applies to:

  • FrontPage 2002 Server Extensions from Microsoft
  • SharePoint Team Services from Microsoft
  • FrontPage 2000 Server Extensions from Microsoft
This article was previously published under Q293512

SUMMARY

When you configure a Web site with the server extensions, security will be managed through the server extensions. There are several places in the Web site where the anonymous account or some groups with equally broad membership will have write access. Under normal circumstances, this is not a problem. This is because the only way to write to the site is by using FrontPage, which forces authentication before access is allowed. When you also have an FTP site configured to use the same file path and to allow anonymous access to the FTP site, the situation changes.

MORE INFORMATION

If both anonymous and write access are allowed to the FTP site, those folders to which the anonymous account has write access can be used as a storage location, without the site owner having knowledge of this. Sensitive files, such as the Global.asa file, which can contain passwords in clear text, will be exposed.

NOTE: This is not a security problem with the server extensions. They are not designed to work in this type of environment.

REFERENCES

For a list of permissions settings for the directories and files that contain the FrontPage Server Extensions, visit the following Microsoft Web sites:

http://officeupdate.microsoft.com/frontpage/wpp/serk/apndx04.htm

http://officeupdate.microsoft.com/frontpage/wpp/serk/apndx01.htm

Modification Type:MinorLast Reviewed:10/19/2004
Keywords:kbFTP kbSecurity kbConfig kbinfo kbhowto KB293512
©2004 Microsoft Corporation. All rights reserved.