Click to return to the Microsoft FrontPage home page    
Web Workshop  |  Languages & Development Tools  |  Microsoft FrontPage

Configuring Support for Database Integration with FrontPage


Microsoft Corporation

Updated April 15, 1999

Microsoft® FrontPage® allows Web authors to collect, store, and retreive information from databases. Database features in FrontPage 2000 allow authors to create new or connect to existing databases and incorporate live data directly in their Web pages.

Database Connectivity

Using FrontPage 2000, Web authors can incorporate data from any ODBC-compliant database. The database can reside either on the Web server or on a remote database server. FrontPage 2000 provides drivers for tab- or comma-delimited text files, for Microsoft Excel spreadsheets, and for the following file formats:

Drivers for server-based databases include those for Microsoft SQL Server™ and Oracle.

FrontPage stores all database connection information in a file called Global.asa, on the Web author's computer. If the database resides outside the author's FrontPage-based Web, FrontPage requires a data source name (DSN) to connect to the database.

Database Security

Using the FrontPage Server Extensions, you can ensure that only users with administrative or authoring privileges for a Web will be able to access databases in that Web.

The recommended location for file-based databases in in the fpdb folder in the FrontPage-based Web. With the FrontPage Server Extensions installed on the Web server, FrontPage automatically marks this folder as not browsable, scriptable, or executable. By default, when FrontPage 2000 creates a new database, it places a Microsoft Access database in the fpdb folder. When Web authors import an existing database to a Web, FrontPage creates the fpdb folder, if it doesn't already exist, and uploads the file to the fpdb folder or to a folder specified by the user.

If the user places the database in a folder other than fpdb, the Component Errors report in FrontPage 2000 recommends moving the database to the fpdb folder for security reasons.

FrontPage does not provide any database security beyond the security settings that already exist within the database. If access restrictions are not set within the database, a user with authoring or administrative rights to the Web might be able to access and change the contents of the database.

If you are administering a FrontPage-extended web, you can take the following steps to make databases in users' webs more secure:

Setting Configuration Variables to Support FrontPage Database Features

FrontPage Server Extensions use several configuration variables that you can set to configure how your Web server supports FrontPage database features. Because FrontPage's database integration relies on ASP, Web authors must be able to save ASP pages to the server. The configuration variables that affect database support are AllowExecutableScripts, ListSystemDSNs, NoExecutableCGIUpload, and NoMarkScriptable. For more information about configuration variables, see FrontPage Server Extensions Configuration Variables.

AllowExecutableScripts

When AllowExecutableScripts is turned on, Web authors can execute programs and scripts, such as CGI scripts, ISAPI extensions, and ASP pages. However, for security reasons AllowExecutableScripts is turned off by default when you first install the FrontPage Server Extensions. You must set AllowExecutableScripts to a non-zero value, either globally or for each virtual server where you want to allow Web authors to run scripts.

For detailed information about this configuration variable, see AllowExecutableScripts

ListSystemDSNs

FrontPage 2000 lets Web authors list all the data source names (DSNs) on a server. This is a potential security hole because it exposes a list of resources. In addition, it's unlikely that the DSNs are password protected, because until FrontPage 2000 server extensions were installed on the server the DSNs weren't accessible from a Web page.

You can hide system DSNs by turning the ListSystemDSNs configuration variable off, either globally or for each virtual server. This setting defaults to true when you first install FrontPage Server Extensions.

For detailed information about this configuration variable, see ListSystemDSNs

NoExecutableCGIUpload

When NoExecutableCGIUpload is turned on, Web authors cannot upload files to folders whose scriptable (or executable) bit is set. NoExecutableCGIUpload is turned on by default when you install FrontPage Server Extensions, which means that Web authors cannot upload ASP pages to servers, such as IIS 3.0, that do not have separate scriptable/executable bits. You can turn the NoExecutableCGIUpload configuration variable off, either globally or for each virtual server where you want to allow Web authors to be able to upload executable files.

For detailed information about this configuration variable, see NoExecutableCGIUpload

NoMarkScriptable

When you install the FrontPage Server Extensions, NoMarkScriptable configuration variable is turned off, which means that Web authors can change the "scriptable" attribute on a folder from FrontPage 2000. If you turn NoMarkScriptable on, either globally or for virtual servers, you must provide some scriptable folders for Web authors to be able to use the FrontPage database features and other ASP-based pages.

You can also turn NoMarkScriptable on or off for subwebs on a server, by setting vti_nomarkscriptable in the web's _vti_pvt/service.cnf file. You can use the vti_nomarkscriptable setting to selectively turn database support on for customers who want it, but disallow database support for all other customers. To configure this functionality, you would turn off the NoMarkScriptable configuration variable for the server, but turn on the vti_nomarkscriptable setting for selected webs.

For detailed information about this configuration variable, see NoMarkScriptable



Back to topBack to top

Did you find this material useful? Gripes? Compliments? Suggestions for other articles? Write us!

© 1999 Microsoft Corporation. All rights reserved. Terms of use.