views:

669

answers:

2

An automated security scan was performed on my WSS 3.0 site and it came up with some warnings based on the apparent presence of FrontPage Extensions. Namely it found files like /_vti_pvt/service.cnf, /_vti_pvt/services.cnf, and /_vti_bin/_vti_aut/author.dll by appending those locations to the site's main URL over the web. These are apparently related to FrontPage Extensions. I have confirmed that the files exist and can be accessed over the web.

What exactly are these files for? Are they, indeed, related to FrontPage Extensions (which apparently has suffered from many security shortcomings in the past)? Can they be removed or disabled somehow?

Update: I have removed read permissions to those directories under my SharePoint web site in IIS. They no longer serve over the web, but the site seems to function normally. So if anyone has an apparent security vulnerability from these files, a possible option is to remove the read permissions.

I have not tried to connect with SharePoint designer.

+2  A: 

I think what you're seeing are the files that support SharePoint designer, which essentially evolved out of Frontpage.

Stefan Mai
No, he's talking about files on the WSS site.
John Saunders
I use SharePoint Designer all the time. I'm not talking about running a program but about certain files that reside on disk and are exposed over the web. Are you saying that these files on the server facilitate the use of SharePoint Designer on a site? Can they therefore be deleted?
strongopinions
Those files enable SharePoint designer to act on the remote site as if it were local. "Web Folders", etc are all idioms from FrontPage time. I'm not talking about the local client.
Stefan Mai
A: 

The WSS SDK describes the RPC extensions available in WSSv3. For more information see the WSS SDK FrontPage Server Extensions RPC @ http://msdn.microsoft.com/en-us/library/ms443099.aspx

Waldek Mastykarz - MOSS MVP
Thanks, this provides some information... at least some of the files are related to RPC, which I guess takes the place of the web services from SharePoint 03. But it's still not clear if these comprise all of the files there, whether are used by SharePoint internally or if they can be safely deleted. Also, are they related to SharePoint Designer, as a previous poster suggested?
strongopinions
I definitely wouldn't delete any of the standard SharePoint files. It might get you into unsupported setup and even worse lead to a broken setup.
Waldek Mastykarz - MOSS MVP