Hosting Your Own FrontPage 2000-Based Web Site: Security Issues
Now that you have your Web site planned out, or even up and running, you are starting to think about security issues. Where do you start? What are the issues you really need to think about? And where can you find the information you need? This article will help you find what you need to know about Web site security. Use the links provided to learn more about how to make your Web secure for you and the people who visit your site.
This article provides information for individuals who are hosting a Web site on their own computer. However, you can also use the information and resources provided in this article as you work with (or select) your Internet service provider (ISP), to ensure the security of your Web site. Make sure that your ISP is familiar with, and using, the latest security technology.
Regardless of what software you are running, the two major security issues when you host Web sites from your computer are:Protecting your computer from unauthorized users Hosting Web sites, even on an intranet, opens your host computer to a wider community of users. To protect your computer, you need a way to control who has access to it, for example through the use of authentication. Authentication is the process of allowing users access to the Web service based on user names and passwords, or based on IP addresses. Restricting users by IP address is less secure, because clever users can "spoof" (or fake) an IP address and gain access to the host computer.
Protecting your computer from programs that run on the host computer Programs can run on your computer based on the content of a Web site for many reasons. For example:
- A Hypertext Markup Language (HTML) page that "includes" or "substitutes" another page can cause a program to be run on the host computer.
- Marking directories executable to allow a script to run on the host computer can allow a program to do anything within the limits of the host computer's resource protection scheme.
- HTML pages can contain embedded controls, scripts, applets, and other programs that can cause programs to run on a host computer. Form handlers can introduce a further risk, because users can submit HTML commands from within form fields, causing programs to be run when the page containing the form results is browsed. (Form handlers in Microsoft FrontPage® 2000 do not allow this.)
About security in Microsoft FrontPage
Microsoft FrontPage provides administrative tools that let you set permissions and limit access to webs that you create and edit on a Web server. FrontPage security is based on the security mechanism used by the Web server and its operating system.
For more information about setting permissions on a web in FrontPage, type web site security in the Office Assistant or on the Answer Wizard tab in the FrontPage Help window, and then click Search. For information about what else you can do to guard against unauthorized access to your web and Web server, read Beyond Permissions: Securing Your FrontPage 2000-Based Web.
Security and FrontPage Server Extensions
The FrontPage Server Extensions are a set of programs on the Web server that support authoring, administering, and browse-time FrontPage Web functionality. FrontPage Server Extensions provide enhanced functionality but are not necessary to host your FrontPage-based Web site. For more information, consult the Microsoft FrontPage 98 Server Extensions Resource Kit.
Whether or not a Web server runs the FrontPage Server Extensions, properly configuring security settings requires a knowledgeable Web administrator. For an answer to the question "How secure are the FrontPage Server Extensions?" and to other commonly asked questions about the security model used by the FrontPage Web site creation and management tool, see Microsoft FrontPage 98 Server Extensions Resource Kit.
The Security Considerations section of the FrontPage Server Extensions Resource Kit describes general Web hosting security issues and how FrontPage protects Web server security on UNIX-based Web servers and on the Internet Information Server (IIS) Web server for Microsoft Windows NT®.
For a discussion of the results of tests designed to evaluate the security controls for FrontPage Server Extensions, read Microsoft FrontPage 2000 Server Extensions Security White Paper.
Windows NT and Internet Information Server (IIS) security articles
Microsoft Internet Information Server (IIS) is built into the Microsoft Windows NT Server operating system. It was designed to deliver the highest level of security for corporate intranets and the Internet. The following links provide detailed information on security in both Windows NT and IIS, and on how these products work together.
Untangling Web Security: Getting the Most from IIS Security Detailed explanations of some of the misunderstood security features in IIS 4.0, including client certificate mapping, IP address restrictions, Secure Sockets Layer (SSL) server bindings, and Web permissions.
Characteristics of a Secure System Discusses some of the most important requirements of C2-level security, a requirement of many U.S. government installations.
Understanding Internet Information Server Security This white paper provides the reader with an overview of the security model used by IIS.
Web Security Features IIS 4.0 helps you keep documents and applications secure, identify and authenticate users, and keep data confidential and secure over the network.
Authentication and Security for Internet Developers An explanation of Windows NT security as it relates to IIS, so you can effectively troubleshoot security-related problems.
General Web security articles
Introduction to Security Information about what you can do to secure your information resources and your intranet from unauthorized access, viruses, or theft of data. A general overview of some key areas of information technology security and ideas on where else to go to learn more.
For Starters: #8. How to Feel Secure An introduction to security issues you should plan for, and the latest in security technologies. Also contains links to a lot of great information, so you can get up to speed on security issues, and quiz your ISP to ensure that its security systems are top-notch.
The Basics of Security Technologies, techniques, and basic concepts for thinking about security for your Web site. Includes discussions on access control, auditing, authentication, privacy, and data integrity.
Fight Fire with Firewalls A discussion of server issues, firewalls, and other security issues.
Web Security A discussion of the general requirements for Web security and of two standardized schemes that are becoming increasingly important as part of Web commerce: Secure Sockets Layer (SSL)/Transport Layer Security (TLS); and Secure Electronic Transactions (SET).
Web site security resources
Internet Explorer Security Area Microsoft posts information and code fixes for security problems here as soon as they are available.
Security The Security Hot Topic Area of the Microsoft Internet Services Network Web site presents security news articles, technical white papers, and training and certification information.
Microsoft Security Advisor Web Site Security information, bulletins, headlines and further resources.
Security & Cryptography on MSDN This section of the MSDN Web Workshop covers security issues for both developers and administrators, from anti-virus information to URL security zones.
Security Services The Security section of the Windows NT Web site provides overviews, technical details, and resources for Windows NT security.
Outside of Microsoft.com
Note The sites listed below are not administered by Microsoft, and Microsoft makes no warranty regarding the services found on them.
CERT Coordination Center (Computer Emergency Response Team)
ICSA.net (International Computer Security Association)