Security on Windows NT

 ^{5 of 9}     How FrontPage Authenticates on IIS

When an author or administrator performs an operation in the FrontPage client that requires the FrontPage Server Extensions on IIS, the FrontPage client and the server extensions communicate with each other using a Remote Procedure Call (RPC) protocol that is layered on top of HTTP and HTML. A POST request is sent from the FrontPage client to one of three FrontPage Server Extensions DLLs:

• Requests for administrative actions go to Admin.dll.
• Requests for authoring actions go to Author.dll.
• Requests for browsing actions go to Shtml.dll.

When an action of a visitor to a FrontPage-extended Web site requires the FrontPage Server Extensions, such as when the visitor submits a search form, the Web browser sends a POST request to the browse-time FrontPage Server Extension program, Shtml.dll.

When IIS receives a request for the FrontPage Server Extensions, it first logs on and impersonates the user and then passes the request directly to Admin.dll, Author.dll, or Shtml.dll. The FrontPage Server Extensions DLL then checks the permissions of the impersonated administrator, author, or site visitor against the ACL in the root folder of the FrontPage-extended web or subweb. (If the subweb inherited its permissions, the DLL makes the same check in its parent web.) The FrontPage Server Extensions perform this check using standard Windows NT system calls. If the check is successful, the FrontPage Server Extensions DLL performs the requested action. If the check fails, the DLL returns this information to IIS, which sends a "Permission Denied" message to the FrontPage client or the Web browser.

Note that a single set of FrontPage Server Extensions DLLs are installed on IIS servers in the folder
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40. (In previous FrontPage Server Extensions releases, stub copies of these programs were stored in every FrontPage-extended web and subweb.) The FrontPage Server Extensions DLLs are installed so that every user, including the anonymous account, has permissions to access them. This lets you limit the site visitors, authors, or administrators of each FrontPage-extended web on a per-web basis. Alternatively, you can tighten permissions on these DLLs by using the Windows NT User Manager. However, if you do this, be sure to make the permissions on the server extensions DLLs loose enough to provide FrontPage-extended web access to all legitimate administrators, authors, and site visitors.

Using the IIS MMC snap-in, you can create a new virtual directory on a Universal Naming Convention (UNC) share. When you do this, you are prompted for a user name and password for access to the mapped directory. You do not have to supply a name and password when prompted, and should not. If you supply a name and password, every request that goes to the virtual directory would be run as the account you supply, creating a security hole.