Microsoft KB Archive/231856

= Err Msg: PROBLEM: Your Web Is Insecure Because the Server Extensions DLLs Are Installed on a FAT Drive =

Article ID: 231856

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft FrontPage 2000 Server Extensions

-



This article was previously published under Q231856



SYMPTOMS
When you install the FrontPage Server Extensions on a drive that is formatted on a FAT partition, you are informed that the Web is insecure. When you run the Check and Fix reports, the following error message occurs:

PROBLEM: Your web is insecure because the server extensions DLLs are installed on a FAT drive. We recommend that you convert the drive that the extensions are installed on to NTFS.

NOT CORRECTED



CAUSE
The FrontPage 2000 Server Extensions store the contents of the _vti_bin folder (traditionally stored in the content area) in the following path:

:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\isapi

This folder is mapped into each site as a virtual directory. If this location is on a FAT partition, FrontPage considers it to be insecure. This is because you cannot set file-level permissions on a FAT partition. When installed on NTFS, the ACLs are set with everyone having Read and Execute permissions on this folder and its contents. This is in order to disallow the possible security threat of uploading malicious code to the _vti_bin folder and executing it.



WORKAROUND
To secure an ISP environment, you should have only NTFS partitions and you should lock them down. The program files and WINNT directories should only have Read permissions. In some cases, they can have Execute permissions by Everyone and Write permissions only by Administrators/SYSTEM and other trusted accounts and groups. The only option is to convert the boot drive to NTFS in order to provide the tightest possible security.

In some instances, customers have inquired about installing the Server Extensions to a different drive than the system drive to get the Server Extensions DLL files on an NTFS partition. In this case, the Server Extensions only install to the system drive; therefore, this is not an option. The overriding issue is that a computer with its system on FAT partition is fundamentally not secure. The warning about the content or executables being on FAT partition is designed to prevent a scenario where malicious scripts on the server could overwrite the FrontPage executables or even system binaries such as Kernel32.dll. If scripts are not enabled on the Web sites and options such as NoExecutableCgiUpload are turned on, then FrontPage is just as secure as the FAT-based system is in general. Moving the _vti_bin directory to NTFS partition does not necessarily make the computer more secure.

Additional query words: front page

Keywords: kbprb KB231856

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.