Restrict What Authors Can Do

If you administer the Web server where your FrontPage-based web is published, you can prevent Web authors from accessing certain resources that are on the server. For example, you can prevent authors from uploading malicious files to the Web server in an executable directory, where the files can be run using a browser.
To prevent authors from uploading or running unauthorized programs on a Web server, set the appropriate configuration variables for the FrontPage 2000 Server Extensions. For more information about the FrontPage Server Extensions configuration variables, see the first of the Appendixes in the FrontPage Server Extensions Resource Kit.
The following configuration variables control authors' access to scripts and executable files on a Web server. In most cases, you can restrict authors' access by leaving the setting that the FrontPage Server Extensions makes by default during installation. For example, the NoExecutableCGIUpload configuration variable is set to "on" by default.
AllowExecutableScripts Set to "off" (default) to prevent authors from running scripts, such as CGI scripts, ISAPI extensions, and active server pages (ASP).
NoExecutableCGIUpload Set to "on" (default) to prevent authors from uploading executable files.
NoMarkScriptable Set to "off" to prevent authors from being able to allow scripts to be run in a given folder (setting is "on" by default).
Remember that some authors may need to upload executable files or run scripts - for example, if they are incorporating a database into their FrontPage-based web, or if they are using ASP pages. You can selectively enable the ability to upload executable files and run scripts for these authors by setting the appropriate configuration variables on the virtual servers that these authors use.
In addition to the ability to upload executable files and run scripts, system data source names (DSNs) are another resource on the Web server that you should be wary of exposing to web authors. You can hide system DSNs by turning the ListSystemDSNs configuration variable off, either globally or for individual virtual servers. The default setting is "on" when you first install FrontPage Server Extensions.
Make Database Resources Secure
If your FrontPage-based web includes a database, you can take steps to ensure that no unauthorized person can gain access to the database.
When you add a database to your FrontPage-based web, store it in the folder that FrontPage provides, _fpdb. FrontPage automatically marks this folder as not browsable, scriptable, or executable.
Use the security mechanisms that are built into the database or database server to restrict who can update the database content. Generally, Web authors' accounts do not need privileges beyond SELECT and UPDATE, which are used by FrontPage. If access restrictions are not set within the database, anyone with authoring or administrative rights to the web might be able to access and change the content of the database.