COMMAND

    Front Page Server Extensions

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Michael Thomas found following.   The FrontPage server  extensions
    documents how  to block  the display  of the  complete server user
    database, but misses some points...

    The example shows that for a web site named www.yourdomain.com  on
    port  80,   that  one   should  create   the  restriction    group
    FP_www.yourdomain.com:80.  This  indeed  works  when the FrontPage
    user enters www.yourdomain.com in the "Open FrontPage Web" dialog.
    However, if the web site has the IP address 10.1.1.1 and the  user
    enters 10.1.1.1  in the  "Open FrontPage  Web" dialog,  the entire
    user list is  visible. This can  be blocked by  defining the local
    group FP_10.1.1.1:80, but it must be defined.

    Further if the  domain is assigned  the same IP  address, the user
    could also enter yourdomain.com and the entire user list would  be
    visible. Again.  it can  be blocked  by creating  the local  group
    FP_yourdomain.com:80. If  you don't  understand that  a domain can
    have an IP address, talk to you DNS operator.

    Some customers have multiple  domains mapped to the  same address.
    For example,  myotherdomain.com also  has the  IP address 10.1.1.1
    and the node www.myotherdomain.com also has the address  10.1.1.1.
    So   if   the    user   enters    either   myotherdomain.com    or
    www.myotherdomain.com  in  the  "Open  FrontPage  Web" dialog, the
    entire  user  list  is  visible.   Again  block  these  by efining
    FP_myotherdomain.com:80  and  FP_www.myotherdomain.com:80.  If you
    don't  understand  how  domain  mapping  works,  talk  to your DNS
    operator.

    FTP sites are commonly a CNAME  for the web site.  If  your domain
    name server has the  following line for an  FTP site or any  other
    node for that matter, then you need to block that as well.

        ftp  CNAME www.yourdomain.com

    or

        anynode CNAME www.yourdomain.com.

    And the  final problem  is a  web site  that also  has SSL running
    (likely port 443).  All of the  local groups defined  as FP_xxx:80
    must also exist as FP_xxx:443.

SOLUTION

    Mostly, the problem is with the documentation and as described, it
    is not  intuitively obvious.  The good  news is  that the security
    problem can be fixed.

    To fix the above example  problems (with CNAME), define the  local
    groups  FP_ftp.yourdomain.com:80  and FP_anynode.yourdomain.com:80
    (and :443) if required.  The other work around is to not define  a
    CNAME to your  web site, but  instead to assign  the ftp or  other
    node its own IP address.