ID: q162144
The information in this article applies to:
The security architecture of the Microsoft Internet Information Server (IIS) relies on the Windows NT File System (NTFS). This article describes minimum NTFS access permissions required to run FrontPage 97 and which permissions are altered during installation or when you run Check Installation from the FrontPage 97 Server Administrator.
NOTE: References to Shtml.dll, Author.dll, or Admin.dll apply equally to their CGI counterparts, Shtml.exe, Author.exe, and Admin.exe, on IIS 1.x servers. FrontPage only edits access control lists (ACLs); it does not change file access permissions of accounts not listed in the following section.
Check Installation is a feature of the FrontPage 97 Server Administrator (Fpsrvwin.exe) that you can run to correct problems in NTFS permissions. When you run Check Installation, permissions are set on the files as follows:
Windows NT directory:
\WINNT\Frontpg.ini
INTERACTIVE: Read (R)
NETWORK: Read (R)
\WINNT\System\Fp20htp.dll
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System\Fp20tl.dll
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System\Fp20txt.dll
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System\Fp20utl.dll
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System\Fp20wel.dll
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System32\Infoadmn.dll
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System32\Mfc40.DLL
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System32\Msvcrt40.DLL
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System32\Netapi32.DLL
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System32\Netrap.dll
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System32\Rpcltc1.DLL
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System32\Samlib.DLL
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\WINNT\System32\Wsock32.DLL
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
NOTE: FrontPage is installed to one of the following directories by default: C:\Program Files\Microsoft FrontPage or C:\Microsoft FrontPage.
\Microsoft FrontPage\Servsupp
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\Microsoft FrontPage\Servsupp\Fp20msft.dll
INTERACTIVE: Read (RX)
NETWORK: Read (RX)
\Microsoft FrontPage\Servsupp\Servers.cnf
INTERACTIVE: Special Access (R)
NETWORK: Special Access (R)
\Microsoft FrontPage\Bin
INTERACTIVE: List (RX)(Not Specified)
NETWORK: List (RX)(Not Specified)
\Microsoft FrontPage\Bin\Fp20vss.dll
INTERACTIVE: Read (RX)
NETWORK: Read (RX)
\Microsoft FrontPage\Bin\Fpext*.msg
(only if files are present for multi-language support)
INTERACTIVE: Read (RX)
NETWORK: Read (RX)
\Microsoft FrontPage\Isapi\
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\Microsoft FrontPage\Isapi\_vti_bin
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\Microsoft FrontPage\Isapi\_vti_bin\Shtml.dll
INTERACTIVE: Read (RX)
NETWORK: Read (RX)
\Microsoft FrontPage\Isapi\_vti_bin\_vti_adm\
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\Microsoft FrontPage\Isapi\_vti_bin\_vti_adm\Admin.dll
INTERACTIVE: Read (RX)
NETWORK: Read (RX)
\Microsoft FrontPage\Isapi\_vti_bin\_vti_aut\
INTERACTIVE: Read (RX)(RX)
NETWORK: Read (RX)(RX)
\Microsoft FrontPage\Isapi\_vti_bin\_vti_aut\Author.dll
INTERACTIVE: Read (RX)
NETWORK: Read (RX)
\Microsoft FrontPage\Temp
INTERACTIVE: Special Access (RWX)(RWX)
NETWORK: Special Access (RWX)(RWX)
\Microsoft FrontPage\Temp\Frontpg.lck
INTERACTIVE: Special Access (RW)
NETWORK: Special Access (RW)
When you run Check Installation on an existing FrontPage web, the files and directories in the content root directory are modified. No changes are made to NTFS permissions in FrontPage subwebs. The minimum access permissions required in FrontPage subwebs are set by duplicating the permissions in the following list on all "_vti_*" directories and the files stored within these directories. In addition, you need to set read permissions on Shtml.dll for browsers, Author.dll for authors, and Admin.dll for administrators. The following list assumes that your web content is stored in \Inetpub\Wwwroot.
\Inetpub
(all directories enclosing the content root grant list permissions
to these accounts)
INTERACTIVE:List (RX)(Not Specified)
NETWORK: List (RX)(Not Specified)
\Inetpub\Wwwroot
INTERACTIVE: List (RX)(Not Specified)
NETWORK: List (RX)(Not Specified)
\Inetpub\Wwwroot\_vti_pvt
INTERACTIVE: Change (RWXD)(RWXD)
NETWORK: Change (RWXD)(RWXD)
\Inetpub\Wwwroot\_vti_pvt\botinfs.cnf
INTERACTIVE: (RWX)
NETWORK: (RWX)
\Inetpub\Wwwroot\_vti_pvt\bots.cnf
INTERACTIVE: (RWX)
NETWORK: (RWX)
\Inetpub\Wwwroot\_vti_pvt\services.cnf
INTERACTIVE: (RX)
NETWORK: (RX)
\VSS\Win32\Ssapi.dll (If Visual SourceSafe 5 is installed)
INTERACTIVE: (RX)
NETWORK: (RX)
\VSS\Win32\Ssxx.dll where xx represents the country code. For example,
Ssus.dll, which is the default if no other country code is present,
represents the United States. (If Visual SourceSafe 5 is installed.)
INTERACTIVE: (RX)
NETWORK: (RX)
File permissions are assigned to the following list of files when FrontPage is installed. This list combined with the previous list demonstrate the changes made when you install FrontPage on the server.
NOTE: This list assumes that the built-in NT Administrators and System groups already have full control over the entire drive, and that the IUSR_<hostname> account is granted read access to the web content before FrontPage is installed.
FrontPage assumes that an account with read access to the web content requires read access after installation. Such accounts become end users of the web content. IUSR_<hostname> is only granted access if it had access to the files at installation time. You can substitute "all user accounts with read access to the web content" in place of IUSR_<hostname>. Regardless of what access permissions these accounts had prior to installation, they are normalized to the access permissions described in the following list during the installation process. The installing account is explicitly given administrator rights throughout the content area even though they are already an administrator. (NOTE: You need to be an NT Administrator to successfully run the FrontPage Server Administrator.)
Microsoft FrontPage Installation Directory:
NOTE: FrontPage is installed to one of the following directories by default: C:\Program Files\Microsoft FrontPage or C:\Microsoft FrontPage.
\Microsoft FrontPage\Temp\_x_todo.htm
INTERACTIVE: Special Access (RWX)
NETWORK: Special Access (RWX)
\Inetpub\Wwwroot
IUSR_<host_name>: Special Access (RWXD) (RWD)
The Installing Account: Special Access (RWXD) (RWD)
All Browsable Content
IUSR_<host_name>: Special Access (RWD)
\Inetpub\Cgi-Bin
IUSR_<host_name>: Special Access (RWXD)(RWD)
The Installing Account: Special Access (RWXD) (RWD)
\Inetpub\Wwwroot\_vti_log
IUSR_<host_name>: Special Access (RWXD) (RWD)
The Installing Account: Special Access (RWXD) (RWD)
\Inetpub\Wwwroot\_vti_pvt
IUSR_<host_name>: Special Access (RWXD) (RWD)
The Installing Account: Special Access (RWXD) (RWD)
\Inetpub\Wwwroot\_vti_pvt\Access.cnf
IUSR_<host_name>: Special Access (RWD)
The Installing Account: Special Access (RWD)
\Inetpub\Wwwroot\_vti_pvt\Doctodep.btr
IUSR_<host_name>: Special Access (RWD)
The Installing Account: Special Access (RWD)
\Inetpub\Wwwroot\_vti_pvt\Deptodoc.btr
IUSR_<host_name>: Special Access (RWD)
The Installing Account: Special Access (RWD)
\Inetpub\Wwwroot\_vti_pvt\Httpconf.lck
IUSR_<host_name>: Special Access (RWD)
The Installing Account: Special Access (RWD)
\Inetpub\Wwwroot\_vti_pvt\Service.cnf
IUSR_<host_name>: Special Access (RWD)
The Installing Account: Special Access (RWD)
\Inetpub\Wwwroot\_vti_pvt\Services.org
IUSR_<host_name>: Special Access (RWD)
The Installing Account: Special Access (RWD)
\Inetpub\Wwwroot\_vti_pvt\Svcacl.cnf
IUSR_<host_name>: Special Access (RWD)
The Installing Account: Special Access (RWD)
\Inetpub\Wwwroot\_vti_pvt\uniqperm.cnf
IUSR_<host_name>: Special Access (RWD)
The Installing Account: Special Access (RWD)
\Inetpub\Wwwroot\_vti_txt
IUSR_<host_name>: Special Access (RWXD) (RWD)
The Installing Account: Special Access (RWXD) (RWD)
\Inetpub\Wwwroot\_vti_bin
IUSR_<host_name>: Read (RX)(RX)
The Installing Account: Read (RX)(RX)
\Inetpub\Wwwroot\_vti_bin\Shtml.dll
IUSR_<host_name>: Read (RX)
The Installing Account: Read (RX)
\Inetpub\Wwwroot\_vti_bin\_vti_aut
The Installing Account: Read (RX)(RX)
\Inetpub\Wwwroot\_vti_bin\_vti_aut\author.dll
The Installing Account: Read (RX)
\Inetpub\Wwwroot\_vti_bin\_vti_adm
The Installing Account: Read (RX)(RX)
\Inetpub\Wwwroot\_vti_bin\_vti_adm\Admin.dll
The Installing Account: Read (RX)
\Inetpub\Wwwroot\_vti_cnf
IUSR_<host_name>: Special Access (RWXD) (RWD)
The Installing Account: Special Access (RWXD) (RWD)
\Inetpub\Wwwroot\_private
IUSR_<host_name>: Special Access (RWXD) (RWD)
The Installing Account: Special Access (RWXD) (RWD)
IUSR_<hostname> now only has RX to all executable directories (_VTI_*) thereby closing a security hole. This is a change from FrontPage 1.1. In FrontPage 1.1, the IUSR_<hostname> account was granted Full Control to the _vti_bin directory and Shtml.exe. If an intruder had the IUSR_<hostname> password and logged into the machine they would have write permission in an executable directory. FrontPage 1.1 itself NEVER allowed any clients to write into the _vti_bin directory, so the security threat was only from other means of access to the web server file system. Now that the IUSR_<hostname> account is only granted RX to the _vti_bin, this potential hole is sealed. It is no longer necessary to be an NT Administrator to administer webs using FrontPage Explorer.
Additional query words: 97 front page
Keywords : kbenv kbdta fpiis
Version : windows:97
Platform : WINDOWS
Hardware : x86
Issue type : kbinfoLast Reviewed: October 17, 1998