microsoft.com Home  
Microsoft
http://www.microsoft.com/office/ork  
Microsoft Office 2000 Resource Kit Home
 Office 2000 and the Web
 Integrating Office 2000 with Your Intranet
 Using Office Server Extensions
Installing Office Server Extensions
Maintaining Office Server Extensions
Administering Security with Office Server Extensions
Advanced Administration of Office Server Extensions
Architecture of Office Server Extensions
 Overview of Tools and Utilities
Glossary
Index
Administering Security with Office Server Extensions

How to Configure Security on Your OSE-extended Web

You can configure the following security elements on each OSE-extended web:

  • Authentication
  • Collaboration, browsing, authoring, and administration permissions (NTFS file system only)
  • Individual file and folder permissions (NTFS file system only)

Configure authentication

When a Web client such as a Microsoft Office application or Web browser attempts to access a file or folder on a Web site, the server authenticates the client to determine whether the client has the credentials to connect to the server.

You can configure the Web server to allow anonymous access so that it does not require any credentials, or you can require user name and password information. If you require user name and password information, and the connecting client does not enter valid credentials, the Web server does not allow access.

To configure authentication for an entire Web site

  1. On the Start menu, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Service Manager.
  2. In the left pane of Internet Service Manager, select the Web site.
  3. On the Action menu, click Properties, and then click the Directory Security tab.
  4. In the Anonymous Access and Authentication Control area, click Edit.
  5. Select the authentication options you want, and then click OK.

Note   All folders, virtual directories, and files in the Web site inherit the authentication settings configured at the Web site level unless the authentication is overridden at the file, folder, or virtual directory level.

You can also configure authentication for selected content on your Web site.

To configure authentication for a folder or virtual directory

  1. On the Start menu, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Service Manager.
  2. In the left pane of Internet Service Manager, select the folder or virtual directory.
  3. On the Action menu, click Properties, and then click the Directory Security tab.
  4. In the Anonymous Access and Authentication Control area, click Edit.
  5. Select the authentication options you want, and then click OK.

Note   All files inherit the authentication settings configured at the folder and Web site level unless the settings are overridden at the file level.

To configure authentication for a file

  1. On the Start menu, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Service Manager.
  2. In the left pane of Internet Service Manager, select the folder where the file is located, and then click the file in the right pane.
  3. On the Action menu, click Properties, and then click the File Security tab.
  4. In the Anonymous Access and Authentication Control area, click Edit.
  5. Select the authentication options you want, and then click OK.

You can allow users to anonymously contribute to Web Discussions and create Web Subscriptions. To enable anonymous access to the Microsoft Office Server Extensions (OSE) Collaboration features, enable Anonymous Access on the MSOffice virtual directory. To do this, follow the previous instructions that describe how you configure authentication for a file.

If you enable Basic authentication, you must grant the Log on Locally right to user accounts that access your Web site.

To grant users the Log on Locally right

  1. On the Start menu, point to Programs, point to Administrative Tools, and then click User Managers for Domains.
  2. In the Policies menu, click User Rights.
  3. In the Right list, select Log on locally.
  4. Add user accounts or groups to the Grant To list.

Top

Configure user permissions

You can configure the types of actions that users can perform when they are authenticated on your OSE-extended web. The simplest way to configure these user permissions is to modify the memberships of the Windows NT groups that the OSE Configuration Wizard creates.

The OSE Configuration Wizard creates the following groups for each Web site:

  • group_prefix Browsers
  • group_prefix Collaborators
  • group_prefix Authors
  • group_prefix Admins

    where group_prefix is a text label you provide for each Web site when you run the wizard. The default for the label is the Web site name.

To specify which users are Browsers, Collaborators, Authors, and Administrators (NTFS file system only)

  1. On the Start menu, point to Programs, point to Administrative Tools, and then click User Managers for Domains.
  2. On the User menu, click Select Domain, type the name of your computer, and then click OK.

    This step displays accounts and groups on the local computer.

  3. Select the group of users you want to modify, and then on the User menu choose Properties.
  4. In the Local Group Properties dialog box, use the Add and Remove buttons to add or remove user accounts.

Top

Manage NTFS access control lists manually

You can set permissions manually on your Web site, and then you can manage access control list (ACL) settings manually in Windows NT Explorer — instead of using the FrontPage administration tools or using the Windows NT groups that the OSE Configuration Wizard creates. Setting permissions manually gives you the control to set permissions at the file and folder levels.

To configure file and folder ACLs (NTFS file system only)

  1. On the Start menu, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Service Manager.
  2. In the left pane of Internet Service Manager, select the Web site for which you want to set ACLs manually.
  3. On the Action menu, click Properties, click the Publishing tab, and then select the Manage Permissions Manually check box.
  4. In My Computer or Windows NT Explorer, select the file or folder.
  5. On the File menu, click Properties, click the Security tab, and then click Permissions.
  6. In the Name box, select a user.

    – or –

    Click Add to add a user.

  7. In the Type of Access box, select the type of access you want for the selected user.

You can grant a specific user or group collaboration access, and then you can manage permissions manually on the MSOffice virtual directory.

To grant a specific user or group Collaboration access

  1. In My Computer or Windows NT Explorer, select the folder:

    C:\Program Files\Microsoft Office\Office\ScriptsN\1033

    where N is the instance number of the Web site you are configuring.

  2. On the File menu, click Properties, click the Security tab, and then click Permissions.
  3. Add the user account or group to the ACL for the 1033 folder, grant it the Read permission, clear the Replace permissions on Subdirectories check box, and then clear the Replace Permissions on Existing Files check box.
  4. Repeat Steps 1 through 3 for all files located in the 1033 folder, but not the MSOAdmin subfolder.
  5. Repeat Steps 1 through 3 for the Help subfolder, and all files located in the Help subfolder.

You can grant a specific user or group administration access to OSE features, and then you can manage permissions manually on the MSOAdmin subfolder.

To grant a specific user or group Administration access

  1. In My Computer or Windows NT Explorer, select the folder:

    C:\Program Files\Microsoft Office\Office\ScriptsN\1033\MSOAdmin

    where N is the instance number of the Web site you are configuring.

  2. On the File menu, click Properties, click the Security tab, and then click Permissions.
  3. Add the user account or group to the ACL for the MSOAdmin folder, grant it the Read permission, clear the Replace permissions on Subdirectories check box, and then clear the Replace Permissions on Existing Files check box.
  4. Repeat Step 3 for all files located in the MSOAdmin folder.

Top

See also

In Microsoft Internet Information Server (IIS), you can restrict access to a Web site by IP address or domain name. For more information, see IIS online Help.

In addition to User Manager, several FrontPage administration tools allow you to modify permissions on FrontPage-extended webs, which are all webs used with OSE. For more information, see Advanced Administration of Office Server Extensions.


Topic Contents
Next
Previous

Topic Contents   |   Previous   |   Next   |   Top

  Friday, March 5, 1999
© 1999 Microsoft Corporation. All rights reserved. Terms of use.

License