FP98: Form Results Not Secure in _Private Folder on IIS Server

ID: Q194239


The information in this article applies to:


SYMPTOMS

FrontPage stores results of the Save Results Form Handler in the _private folder. If you are using Microsoft Internet Information Server (IIS), the contents of this folder are available for anyone to view. Anyone can access the results in this folder by opening a page from this folder in a Web browser.


CAUSE

When FrontPage creates the _private folder, it limits browse access to FrontPage authors and administrators only. It grants write access to the files in this folder so that the FrontPage Server Extensions can create and update the results file. However, IIS servers are unable to grant write access to a file without also granting read access.


RESOLUTION

To resolve this problem, follow these steps:

  1. Open your Web in FrontPage Explorer.


  2. Right-click the _private folder and click Properties on the menu that appears.


  3. In the _private Properties dialog box, click to clear each check box.


  4. Click OK.



STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.


MORE INFORMATION

This behavior is specific to IIS servers only. This behavior does not occur on the UNIX platform or with other Web servers running on Windows NT. When you remove browse access on a folder, the server no longer allows access to the folder via HTTP. It does not alter the NTFS permissions of the folder. The FrontPage Server Extensions still have full access to the folder and the files in it. And, you will still be able to view and edit files in the _private folder using FrontPage.

Additional query words: security 98 iis save results


Keywords          : fpexp fpiis fpext 
Version           : WINDOWS:
Platform          : WINDOWS 
Issue type        : kbbug 

Last Reviewed: July 30, 1999