FrontPage and folders that begin with "_"

[Paul]

Hi,
Is there any reason why I should or should not create Folders that
begin with an "_" (underscore) in FrontPage? I heard that there was a
security advantage to using it.
Thanks,
Paul

 

[Thomas A. Rowe]

The _ as the first character hides the folder from the FP search component
and by default hides the folder from the FP Client.

Only the _private folder has specific permissions assigned by the FP
extensions. Folder you create will just be hidden.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

 

[Jack Brewster]

One problem with creating directories with leading underscores in their name
is that the _private folder is the _only_ folder that is viewable regardless
of whether you have "Show hidden files and folders" selected.

To change the setting for viewing hidden files and folders:
- Open an FP web
- Click "Tools | Web Settings..."
- Select the "Advanced" tab
- Check/Uncheck "Show hidden files and folders" to switch

If the checkbox is empty, any folders you create with a leading underscore
will not be visible even inside of FrontPage. You must check this box to
see them. When you do that, you'll notice other directories such as those
for shared borders, etc.

In all my years of using FrontPage, I've never come accross a need to create
hidden directories using this method. I've always managed to make use of
the _private folder for my needs.

 

[Paul]

Hi,
I know that it hides it in FrontPage, but does it offer any other
protection from visitors, especially in a security sense? Are ones I
create different from _private? If so, what does private have that
ones I create don't? Is there a way to manually give the ones I
create the same settings from the server?
Thanks,
Paul

 

[Thomas A. Rowe]

Even _private doesn't really offer any security, if you know a name of a
file that is located within it, you can then access it.

_private basically has write access assigned to the web bots, whereas all
other folders are browser read-only.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

 

[Stefan B Rusynko]

The advantage is _hidden folders are also hidden from the FP webbots (like TOC and search)

--




| Hi,
| I know that it hides it in FrontPage, but does it offer any other
| protection from visitors, especially in a security sense? Are ones I
| create different from _private? If so, what does private have that
| ones I create don't? Is there a way to manually give the ones I
| create the same settings from the server?
| Thanks,
| Paul
|
| > One problem with creating directories with leading underscores in their name
| > is that the _private folder is the _only_ folder that is viewable regardless
| > of whether you have "Show hidden files and folders" selected.
| >
| > To change the setting for viewing hidden files and folders:
| > - Open an FP web
| > - Click "Tools | Web Settings..."
| > - Select the "Advanced" tab
| > - Check/Uncheck "Show hidden files and folders" to switch
| >
| > If the checkbox is empty, any folders you create with a leading underscore
| > will not be visible even inside of FrontPage. You must check this box to
| > see them. When you do that, you'll notice other directories such as those
| > for shared borders, etc.
| >
| > In all my years of using FrontPage, I've never come accross a need to create
| > hidden directories using this method. I've always managed to make use of
| > the _private folder for my needs.
| >
| > --
| > Jack Brewster - Microsoft FrontPage MVP
| >
| > | > > The _ as the first character hides the folder from the FP search component
| > > and by default hides the folder from the FP Client.
| > >
| > > Only the _private folder has specific permissions assigned by the FP
| > > extensions. Folder you create will just be hidden.
| > >
| > > --
| > >
| > > ==============================================
| > > Thomas A. Rowe (Microsoft MVP - FrontPage)
| > > WEBMASTER Resources(tm)
| > >
| > > FrontPage Resources, Forums, WebCircle,
| > > MS KB Quick Links, etc.
| > > ==============================================
| > > To assist you in getting the best answers for FrontPage support see:
| > > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > >
| > > | > > > Hi,
| > > > Is there any reason why I should or should not create Folders that
| > > > begin with an "_" (underscore) in FrontPage? I heard that there was a
| > > > security advantage to using it.
| > > > Thanks,
| > > > Paul
| > >
| > >

 

[Jack Brewster]

My experience shows that the _private folder _cannot_ be browsed. But I've
gone through all the motions to secure my IIS server so I don't know what
the behavior is "out of the box".

 

[Thomas A. Rowe]

Jack,

You can't browse it, but if you know a actual file name, you can access it
directly.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

 

[Jack Brewster]

I tried addressing a specific file by name and received a 404 error. I'll
bet that was URLScan. So, my guess is probably right that it isn't this
secure out of the box.

 

[Ronx]

My experience on UNIX (FP2000 extensions) is that the _private folder
requires Username and Password to browse and get named files.
On IIS5.1 and IIS6 (FP2002 extensions) - "out of the box" installations as
far as permissions go (though Server Health has been allowed to tighten
security) - I get a 403.2 (Read access denied) error on both browsing and
named files.

 

[Thomas A. Rowe]

Maybe it was back with the FP98 or first release of the FP2000 extensions,
where you couldn't browse the folder, but you could still access any file
within the _private folder if you knew the file name.

Since that time, I have never use the _private folder storing any data
files. I just checked the FP2000 extensions under IIS 5 and you can not
access any files.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

 

[Paul]

Hi,
I have been using folders with the leading "_" for two different
reasons. one for folders to hold files a that need to get updated.
This includes access mdb files. The other is for an administrative
area. The reason I did this has been affirmed by this thread. I
wanted them to be hidden from the bots in FrontPage. Both of these
different uses have the properties set for them in something my web
provider calls a control panel and is using the server security
settings to set the "Read,Write,Execute and Delete" attributes for the
"Everyone" user. I am not sure, but I think this is like a group that
includes the anonymous user. At any rate, it is the settings for my
visitors. The default settings are "Read, Execute". My problem is
that I need the attributes to be more than the default in one case and
nothing in the other. I can set them and they work for a while, then
out of nowhere, they are changed without my doing anything. Sometimes
back to the defaults, sometime to almost any combination. My web
support says that it is due to the leading "_" and FrontPage getting
confused some of the times. Most of the times, they say it is
impossible and I must have changed it my self, or the FrontPage client
did it when I saved a file from it. I have not heard of such a thing
and can't find anything about this anywhere. I get the impression
that they don't like FrontPage and would like to see it go away. Well
at least me, because they say no one else is having any problems like
I am.
Paul

 

[Thomas A. Rowe]

Paul,

The FP extensions only control permissions on the _private folder and other
folder with _ are just hidden from view by default in the FP client
application and are not seen by the FP Search and TOC web bots.

Any time you or your host set permissions on a folder via the OS, running a
check on the FP extensions, and selecting the option to tighten security, FP
will reset all security back to default.

If you need to set permissions on folders, create them as subwebs and use
the FP Admin pages to set permissions.

If you are going to store your databases within the web, then your should
store or let FP store them in the fpdb folder, since FP also control the
permissions on this folder and the actual database as well.

For better database security ask your host to create a folder with the
required permissions on the database itself and the folder outside the root
of web, this way the permissions will not be effect by the FP extensions,
since the folder is not seen by the FP extensions. It does require that you
have FTP access to upload the database. You can still use FP to generate the
global.asa file for the connection, and FP will create a fpdb folder, DO NOT
delete this folder.

If you have delete or have not used FP to create the fpdb folder, this might
be the cause of your application root issue in your subwebs.


--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

 

[Paul]

Hi,
When I looked at the sub web in question, it did not have the fpdb
folder in it, this is something I will look into. You are
recommending that I have FP create this folder. Should I put all of
my DB files in there, even if I don't use the FP code/connection to
access it. Do you recommend that I stick with the FP generated code
to access it? Should I also put any flat files that I plan to update
via code in there as well? Is there an other folder that would be
better suited for these files?

Paul

 

[Thomas A. Rowe]

1. To create the fpdb folder in the subweb, just drag and drop a database
into the web, FP will prompt you to let it move the database to the fpdb,
which it will create, then it will create a global.asa file in the root of
the subweb, this should also take care of creating the application root for
the subweb.

2. I don't using the FP Database component other than the function to create
the global.asa and fpdb folder. If your host allows you to store you
database outside of the space for your web page, then the databases doesn't
need to be in the fpdb folder, however it not, then it is best to use the
fpdb folder.

2a. With my host, my fpdb folder is always empty, since I am allowed store
the databases outside of web space, which requires FTP access for uploading.

3. I would not store any pages, scripts, etc. just the databases in the fpdb
folder. I usually create a folder for includes or scripts as _includes or
_script, this way the page are hidden from any FP Search or TOC web bots.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

 

[Paul]

Hi,
I am trying to understand why you (with FrontPage) would create the
fpdb folder if you don't use it or the code in global.asa. Is there
something that is being done that is needed, even if you don't use
them?

I am being told that if I put my Database in fpdb that everyone will
know where it is. Are there any dangers to having it there? I am
guessing there is because you don't use it. I don't know if I can
store the db off web as you are doing, but what about storing them in
a sub web. Would this be a benefit or a problem? Is there a problem
with creating a sub web with a leading "_" or is this not needed then?
If a sub web is used for the db, are there any obstacles that will
need to be overcome?

I have flat files that do nothing but store data. I have asp pages
the read and write to them. Where is the best place to store these
files as the need write authority. I only suggested the fpdb folder
because it has write authority and does not get changed by FP. Is
there a problem with storing data files in fpdb? This may be a moot
point if a Data sub web can be used safely.

Paul

 

[Thomas A. Rowe]

See inline below.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

Hi,
I am trying to understand why you (with FrontPage) would create the
fpdb folder if you don't use it or the code in global.asa. Is there
something that is being done that is needed, even if you don't use
them?

I don't create the fpdb folder or global.asa file, FP does when I use the
Tools | Web Settings | Database tab to create a System DSN connection.

I am being told that if I put my Database in fpdb that everyone will
know where it is. Are there any dangers to having it there? I am
guessing there is because you don't use it. I don't know if I can
store the db off web as you are doing, but what about storing them in
a sub web. Would this be a benefit or a problem? Is there a problem
with creating a sub web with a leading "_" or is this not needed then?
If a sub web is used for the db, are there any obstacles that will
need to be overcome?

The only danger of have the database within your FP web space, is that if
the permission break fail on the web, then anyone with FP has access to your
complete web site content, including any databases. However with the
database stored outside of the web space, then you database is safe unless
the hacker has breached the entire server.

The fpdb folder has the necessary permissions to avoid users have access to
the database via the browser. Using a subweb, the required permissions are
not set, unless you plan to use the fpdb folder within the subweb, second if
you use the FP Database component, then your database connection is limited
to the web you create it in, so in the case of a subweb, the connection
would not work from the root web or other subwebs, just the subweb you
created it in.

Since I use a System DSN, I do not have this problem, as I let FP create the
fpdb folder and global.asa file in each subweb that I want to access my
database(s) stored outside of the web root.

Also the reason I suggest that you let FP create the fpdb folder and
global.asa file is that it might solve your issue of have the application
root configuration set for your root or sub web.

I have flat files that do nothing but store data. I have asp pages
the read and write to them. Where is the best place to store these
files as the need write authority. I only suggested the fpdb folder
because it has write authority and does not get changed by FP. Is
there a problem with storing data files in fpdb? This may be a moot
point if a Data sub web can be used safely.

I avoid using the flat files since it require access to the file system, via
the FileSystemObject. I always use Access to store data. I do however use
the FileSystemObject to manage the deletion of images. Anyway I don't see a
reason why you can't use the fpdb folder, if it works for you.

 

[Paul]

Thanks Thomas, this is very useful information.

My question about not understanding why you would create fpdb and not
use it may have been a little confusing. I did know that you had FP
create it for you (or me). I got from your other messages that you
personally have FP create it for you, yet you don't use the folder,
nor do you use any of the code in global.asa. I think I understand
your point about that you use a folder that is external to the web
space. I think that this option would be the best way to do it as you
have said. I don't think this option is available to me at my WPP
though. The question I was asking was if there where any benefits to
the fpdb folder being created by FP other than the permissions on the
fpdb folder or the code in global.asa?
At this point, I am trying to explore the options I have for using a
folder(s) inside the web space that will provide the maximum security
and flexibility for both the DB and flat files that I have code
update. I will take you point that you don't use updateable flat
files into consideration. I currently don't use the database code
provided by FP in global.asa. I think that I deleted it (the other FP
code is still there) along with the fpdb folder. I would like to
understand why you said I shouldn't do that (delete the fpdb folder).
If it only has to do with the application root, than I think I
understand. If it is further than that, please explain.
I have heard that the best way to code a dsn is inline. I can't
remember what they called this but I don't use any of the system, user
or file dsn methods. I think that this will allow me to access a
database in a sub web, but I will have to experiment with this. The
two questions I had where about the sub web having a leading "_" to
keep it from the FP bots. Is this still useful if it is a sub web?
Then, I was trying to determine if I needed to use the fpdb inside the
sub web. It looks like it would be desirable from your response. My
idea for using a sub web for this is to help conceal its location or
at least make it less obvious. I know that is someone really wanted
it they could probably get it.

Thanks again,
Paul

 

[Thomas A. Rowe]

Paul,

Actually I do use the global.asa file. The reason I leave the fpdb folder is
that FP create it when it create the connection even when you are not
connecting to a database within the specific web, so I just leave it. Same
as with the _private folder, which I also don't use, but it you delete it
and run a check on the extensions, FP will put it back, so again I just
leave it since FP creates it.

I don't know for sure, but the creation of the fpdb may also trigger the
setting of the application root, which was one of your issue.

If you need to store your database in the web, then let FP create the fpdb
folder as the correct permission will be set on the folder and the database
file itself. If you place your flat file, you will only have the folder
permissions, not file permissions.

I prefer to use System DSN, as it make it easy for me to maintain 30+ client
web sites and not worry about the physical location of the database when
working live or locally against my Windows 2000 Server.

Plus if someone where able to access the live site via FP, they will not
have a path or access to the database, since it is not stored within the
actual web space.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

 

[Paul]

Yes, I am still working on this and I thank you for all of your help.

I have a few places where I log some info to a flat file. I do this
at times when the db write fails for redundancy. I have tried Putting
them somewhere in fpdb and _Private in a effort to find a folder that
I can create modify and delete files and not have the permissions
altered when FP resets to folders to the default settings. Is there a
folder that FP would create that would do this? Is there something I
can ask my WPP to do that will make a folder so I can create, modify
and delete files from asp code and FP will not reset them to the
defaults?

If you place your flat file, you will only have the folder
permissions, not file permissions.

Could you explain this? Perhaps an answer for the above questions
will make it unnecessary.


Paul