Administering Security with Office Server Extensions

Securing Your OSE-extended Web

In addition to the direct methods of securing your OSE-extended web, you can:

• Prevent users from accessing confidential Web Discussions.
• Prevent Web Discussions on documents located on other Web sites.
• Control Microsoft Office Server Extensions (OSE) Directory Browsing.
• Allow users to subscribe to documents only.
• Monitor and delete inappropriate subscriptions.

Preventing access to confidential Web Discussions

To contribute to Web Discussions, users need read permission to the documents being discussed and collaboration access to the OSE-extended web that maintains the collaboration database. If you want to prevent some users from gaining access to confidential Web Discussions, you need to do the following:

• Remove the Everyone group from the access control list of the OSE root and Help folders (NTFS file system only).
• Remove anonymous access from the MSOffice virtual directory.
• Give collaboration access to users (NTFS file system only).

You can control access to Web Discussions when you first set up Office Server Extensions with the OSE Configuration Wizard, or you can use the following procedure to manage access manually after OSE has been installed.

To remove anonymous access from the MSOffice virtual directory

1. On the Start menu, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Service Manager.
2. In the left pane, expand the OSE-extended web, and then select the MSOffice virtual directory.
3. On the Action menu, click Properties, and then click the Directory Security tab.
4. In the Anonymous Access and Authentication Control area, click Edit.
5. Clear the Allow Anonymous Access check box.

To remove the Everyone group from the access control list of the OSE root, and Help folders (NTFS file system only)

1. In Windows Explorer, select the folder C:\Program Files\Microsoft Office\Office\ScriptsN\localeID.

   where N is the index of the OSE-extended web and localeID is the ID of the OSE locale (for example, the locale ID for English is 1033).

2. On the File menu, click Properties, and then click the Security tab.
3. Click Permissions.
4. In the Directory Permissions dialog box, remove the Everyone group.
5. Repeat this procedure for the C:\Program Files\Microsoft Office\Office\ScriptsN\localeID\Help folder.

To give collaboration access to users (NTFS file system only)

1. On the Start menu, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
2. On the User menu, click Select Domain.
3. In the Domain box, specify the local computer name.
4. In the bottom pane of the User Manager window, select website Collaborators, where website is the name of the OSE-extended web.
5. On the User menu, click Properties.
6. In the Local Group Properties dialog box, add the users you want to give collaboration access.

Note   When you extend your Web site with OSE, you can choose to have the OSE Configuration Wizard create local Microsoft Windows NT groups. If you do not choose to have the wizard create the groups, and then you decide you want to give users collaboration access, you can add users to the access control lists (ACLs) of the OSE root and Help folders.

When you want to give specific users read permission, but restrict them from accessing Web Discussions; or when you want to give specific users access to different Web Discussions on the same documents, you need to:

• Create multiple OSE-extended webs.
• Set different security settings on each site.

You can also use the Browsers group to give users the ability to view information on the server, but to block their access to Web Discussions.

Top

Preventing Web Discussions on documents located on other Web sites

Users with access to Web Discussions on an OSE-extended web can post discussion items about documents on your Web site, or anywhere on the Web. For policy reasons, you might want to restrict discussions to documents only on your Web site.

To prevent Web Discussions on documents located on other Web sites

1. On the Start menu, point to Programs, point to Microsoft Office Server Extensions, and then click OSE Administrator (HTML).

   – or –

   Type the following URL in the Address box of your browser:

   http://website/msoffice/msoadmin/

   where website is the name of the OSE-extended web.

2. Click Configure Web Discussions Settings.
3. Under Allow Web Discussions on, click Documents located anywhere on the web.
4. Click Submit.

Top

Controlling browsing of OSE folders

To maintain security on your Web site, you can control OSE directory browsing. When you enable OSE directory browsing, users with the List permission on the ACL of the OSE-extended web root folder can click Browse Web Folders in the OSE Start Page to see the files and folders that the root folder contains. This ability is a security consideration because users can see the server folder structure, and the names and types of documents that you might not want them to see.

You can disable OSE directory browsing for the entire Web site, or for particular subfolders of the Web site. When you clear the Directory browsing allowed check box in the content root, you disable OSE directory browsing for the entire Web site; and when you clear the Directory browsing allowed check box in particular subfolders, you disable OSE directory browsing in those subfolders.

To disable OSE directory browsing for the entire Web site

1. On the Start menu, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Service Manager.
2. In the left pane, click the OSE-extended web, or a subfolder of the Web site where you want to disable browsing.
3. On the Action menu, click Properties.
4. On the Home Directory tab, clear the Directory browsing allowed check box.

To allow specific users to browse specific files and folders (NTFS file system only)

1. In Windows Explorer, select a file or folder to control browsing.
2. On the File menu, click Properties.
3. On the Security tab of the Properties dialog box, click Permissions.
4. To allow a user to browse the file or folder, add the user to the list in the Directory Permissions dialog box, and then give the user the Read permission.

   – or –

   To allow a user to view a file, add the user to the list in the File Permissions dialog box, and then give the user the Read permission.

Top

Allowing users to subscribe to updates on documents only

The Web Subscriptions feature allows users to subscribe to a single document or to all the documents in a folder. Subscribers receive e-mail notifications when documents or discussions change. The updates include document names and the types of changes to the documents.

When users subscribe to a folder, they receive updates about all the documents in the folder — including documents that they do not have permission to view or alter. However, you can prevent users from creating subscriptions to folders, and you can limit subscriptions to documents only.

To set Web Subscriptions to documents only

1. On the Start menu, point to Programs, point to Microsoft Office Server Extensions, and then click OSE Administrator (HTML).

   – or –

   Type the following URL in the Address box of your browser:

   http://website/msoffice/msoadmin/

   where website is the name of the OSE-extended web.

2. Click Configure Web Subscription Settings.
3. Next to Allow Web Subscriptions to, click Documents only.
4. At the bottom of the page, click the Submit button.

Top

Monitoring and deleting inappropriate subscriptions

By using the Web Subscriptions feature, users can designate any Internet e-mail address to receive document updates. In addition, users who are no longer members of a specific workgroup might still have subscriptions to documents that are supposed to be accessible to only the current members of the workgroup. These scenarios represent possible security risks. To maintain a secure server environment, monitor and delete Web Subscriptions configurations on a regular basis.

To monitor and delete Web Subscriptions

1. On the Start menu, point to Programs, point to Microsoft Office Server Extensions, and then click OSE Administrator (HTML).

   – or –

   Type the following URL in the Address box of your browser:

   http://website/msoffice/msoadmin/

   where website is the name of the OSE-extended web.

2. Click Manage Web Subscriptions.
3. To delete one subscription, select the subscription, and then click Delete.

   – or –

   To delete all subscriptions, click Delete All.