Microsoft KB Archive/162144

= FP97: Minimum NTFS File Permission Requirements =

Article ID: 162144

Article Last Modified on 8/10/2001

-

APPLIES TO


 * Microsoft FrontPage 97 Standard Edition

-



This article was previously published under Q162144



SUMMARY
The security architecture of the Microsoft Internet Information Server (IIS) relies on the Windows NT File System (NTFS). This article describes minimum NTFS access permissions required to run FrontPage 97 and which permissions are altered during installation or when you run Check Installation from the FrontPage 97 Server Administrator.



MORE INFORMATION
NOTE: References to Shtml.dll, Author.dll, or Admin.dll apply equally to their CGI counterparts, Shtml.exe, Author.exe, and Admin.exe, on IIS 1.x servers. FrontPage only edits access control lists (ACLs); it does not change file access permissions of accounts not listed in the following section.

File Permissions Assigned by Check Installation
Check Installation is a feature of the FrontPage 97 Server Administrator (Fpsrvwin.exe) that you can run to correct problems in NTFS permissions. When you run Check Installation, permissions are set on the files as follows:

Windows NT directory:   \WINNT\Frontpg.ini INTERACTIVE: Read (R) NETWORK: Read (R)

\WINNT\System\Fp20htp.dll INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System\Fp20tl.dll INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System\Fp20txt.dll INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System\Fp20utl.dll INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System\Fp20wel.dll INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System32\Infoadmn.dll INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System32\Mfc40.DLL INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System32\Msvcrt40.DLL INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System32\Netapi32.DLL INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System32\Netrap.dll INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System32\Rpcltc1.DLL INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System32\Samlib.DLL INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\WINNT\System32\Wsock32.DLL INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX) Microsoft FrontPage Installation Directory:

NOTE: FrontPage is installed to one of the following directories by default: C:\Program Files\Microsoft FrontPage or C:\Microsoft FrontPage.   \Microsoft FrontPage\Servsupp INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\Microsoft FrontPage\Servsupp\Fp20msft.dll INTERACTIVE: Read (RX) NETWORK: Read (RX)

\Microsoft FrontPage\Servsupp\Servers.cnf INTERACTIVE: Special Access (R) NETWORK: Special Access (R)

\Microsoft FrontPage\Bin INTERACTIVE: List (RX)(Not Specified) NETWORK: List (RX)(Not Specified)

\Microsoft FrontPage\Bin\Fp20vss.dll INTERACTIVE: Read (RX) NETWORK: Read (RX)

\Microsoft FrontPage\Bin\Fpext*.msg (only if files are present for multi-language support) INTERACTIVE: Read (RX) NETWORK: Read (RX)

\Microsoft FrontPage\Isapi\ INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\Microsoft FrontPage\Isapi\_vti_bin INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\Microsoft FrontPage\Isapi\_vti_bin\Shtml.dll INTERACTIVE: Read (RX) NETWORK: Read (RX)

\Microsoft FrontPage\Isapi\_vti_bin\_vti_adm\ INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\Microsoft FrontPage\Isapi\_vti_bin\_vti_adm\Admin.dll INTERACTIVE: Read (RX) NETWORK: Read (RX)

\Microsoft FrontPage\Isapi\_vti_bin\_vti_aut\ INTERACTIVE: Read (RX)(RX) NETWORK: Read (RX)(RX)

\Microsoft FrontPage\Isapi\_vti_bin\_vti_aut\Author.dll INTERACTIVE: Read (RX) NETWORK: Read (RX)

\Microsoft FrontPage\Temp INTERACTIVE: Special Access (RWX)(RWX) NETWORK: Special Access (RWX)(RWX)

\Microsoft FrontPage\Temp\Frontpg.lck INTERACTIVE: Special Access (RW) NETWORK: Special Access (RW) Web Content Area:

When you run Check Installation on an existing FrontPage web, the files and directories in the content root directory are modified. No changes are made to NTFS permissions in FrontPage subwebs. The minimum access permissions required in FrontPage subwebs are set by duplicating the permissions in the following list on all "_vti_*" directories and the files stored within these directories. In addition, you need to set read permissions on Shtml.dll for browsers, Author.dll for authors, and Admin.dll for administrators. The following list assumes that your web content is stored in \Inetpub\Wwwroot.   \Inetpub (all directories enclosing the content root grant list permissions   to these accounts) INTERACTIVE:List (RX)(Not Specified) NETWORK: List (RX)(Not Specified)

\Inetpub\Wwwroot INTERACTIVE: List (RX)(Not Specified) NETWORK: List (RX)(Not Specified)

\Inetpub\Wwwroot\_vti_pvt INTERACTIVE: Change (RWXD)(RWXD) NETWORK: Change (RWXD)(RWXD)

\Inetpub\Wwwroot\_vti_pvt\botinfs.cnf INTERACTIVE: (RWX) NETWORK: (RWX)

\Inetpub\Wwwroot\_vti_pvt\bots.cnf INTERACTIVE: (RWX) NETWORK: (RWX)

\Inetpub\Wwwroot\_vti_pvt\services.cnf INTERACTIVE: (RX) NETWORK: (RX)

\VSS\Win32\Ssapi.dll (If Visual SourceSafe 5 is installed) INTERACTIVE: (RX) NETWORK: (RX)

\VSS\Win32\Ssxx.dll where xx represents the country code. For example, Ssus.dll, which is the default if no other country code is present, represents the United States. (If Visual SourceSafe 5 is installed.) INTERACTIVE: (RX) NETWORK: (RX)

Additional File Permissions Assigned by Installation
File permissions are assigned to the following list of files when FrontPage is installed. This list combined with the previous list demonstrate the changes made when you install FrontPage on the server.

NOTE: This list assumes that the built-in NT Administrators and System groups already have full control over the entire drive, and that the IUSR_ account is granted read access to the web content before FrontPage is installed.

FrontPage assumes that an account with read access to the web content requires read access after installation. Such accounts become end users of the web content. IUSR_ is only granted access if it had access to the files at installation time. You can substitute "all user accounts with read access to the web content" in place of IUSR_. Regardless of what access permissions these accounts had prior to installation, they are normalized to the access permissions described in the following list during the installation process. The installing account is explicitly given administrator rights throughout the content area even though they are already an administrator. (NOTE: You need to be an NT Administrator to successfully run the FrontPage Server Administrator.)

Microsoft FrontPage Installation Directory:

NOTE: FrontPage is installed to one of the following directories by default: C:\Program Files\Microsoft FrontPage or C:\Microsoft FrontPage.   \Microsoft FrontPage\Temp\_x_todo.htm INTERACTIVE: Special Access (RWX) NETWORK: Special Access (RWX) Web Content Area:   \Inetpub\Wwwroot IUSR_: Special Access (RWXD) (RWD) The Installing Account: Special Access (RWXD) (RWD)

All Browsable Content IUSR_: Special Access (RWD)

\Inetpub\Cgi-Bin IUSR_: Special Access (RWXD)(RWD) The Installing Account: Special Access (RWXD) (RWD)

\Inetpub\Wwwroot\_vti_log IUSR_: Special Access (RWXD) (RWD) The Installing Account: Special Access (RWXD) (RWD)

\Inetpub\Wwwroot\_vti_pvt IUSR_: Special Access (RWXD) (RWD) The Installing Account: Special Access (RWXD) (RWD)

\Inetpub\Wwwroot\_vti_pvt\Access.cnf IUSR_: Special Access (RWD) The Installing Account: Special Access (RWD)

\Inetpub\Wwwroot\_vti_pvt\Doctodep.btr IUSR_: Special Access (RWD) The Installing Account: Special Access (RWD)

\Inetpub\Wwwroot\_vti_pvt\Deptodoc.btr IUSR_: Special Access (RWD) The Installing Account: Special Access (RWD)

\Inetpub\Wwwroot\_vti_pvt\Httpconf.lck IUSR_<host_name>: Special Access (RWD) The Installing Account: Special Access (RWD)

\Inetpub\Wwwroot\_vti_pvt\Service.cnf IUSR_<host_name>: Special Access (RWD) The Installing Account: Special Access (RWD)

\Inetpub\Wwwroot\_vti_pvt\Services.org IUSR_<host_name>: Special Access (RWD) The Installing Account: Special Access (RWD)

\Inetpub\Wwwroot\_vti_pvt\Svcacl.cnf IUSR_<host_name>: Special Access (RWD) The Installing Account: Special Access (RWD)

\Inetpub\Wwwroot\_vti_pvt\uniqperm.cnf IUSR_<host_name>: Special Access (RWD) The Installing Account: Special Access (RWD)

\Inetpub\Wwwroot\_vti_txt IUSR_<host_name>: Special Access (RWXD) (RWD) The Installing Account: Special Access (RWXD) (RWD)

\Inetpub\Wwwroot\_vti_bin IUSR_<host_name>: Read (RX)(RX) The Installing Account: Read (RX)(RX)

\Inetpub\Wwwroot\_vti_bin\Shtml.dll IUSR_<host_name>: Read (RX) The Installing Account: Read (RX)

\Inetpub\Wwwroot\_vti_bin\_vti_aut The Installing Account: Read (RX)(RX)

\Inetpub\Wwwroot\_vti_bin\_vti_aut\author.dll The Installing Account: Read (RX)

\Inetpub\Wwwroot\_vti_bin\_vti_adm The Installing Account: Read (RX)(RX)

\Inetpub\Wwwroot\_vti_bin\_vti_adm\Admin.dll The Installing Account: Read (RX)

\Inetpub\Wwwroot\_vti_cnf IUSR_<host_name>: Special Access (RWXD) (RWD) The Installing Account: Special Access (RWXD) (RWD)

\Inetpub\Wwwroot\_private IUSR_<host_name>: Special Access (RWXD) (RWD) The Installing Account: Special Access (RWXD) (RWD)

Changes in Permissions Required by FrontPage 1.1
IUSR_ now only has RX to all executable directories (_VTI_*) thereby closing a security hole. This is a change from FrontPage 1.1. In FrontPage 1.1, the IUSR_ account was granted Full Control to the _vti_bin directory and Shtml.exe. If an intruder had the IUSR_ password and logged into the machine they would have write permission in an executable directory. FrontPage 1.1 itself NEVER allowed any clients to write into the _vti_bin directory, so the security threat was only from other means of access to the web server file system. Now that the IUSR_ account is only granted RX to the _vti_bin, this potential hole is sealed. It is no longer necessary to be an NT Administrator to administer webs using FrontPage Explorer.

Additional query words: 97 front page

Keywords: kbinfo kbenv KB162144

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.