microsoft.com Home
http://www.microsoft.com/office/ork

Advanced Administration of Office Server Extensions

How to Use the HTML Administration Forms and Fpremadm.exe

You can use HTML Administration Forms to install and administer Microsoft FrontPage Server Extensions remotely with a Web browser. When you install FrontPage Server Extensions during Microsoft Office Server Extensions (OSE) Setup, the forms are copied to your Web server. When you install the forms on your Web server, your home page for the HTML Administration Forms is Fpadmin.htm.

The HTML Administration Forms are not active when they are first installed because remote administration of FrontPage Server Extensions is a potential security risk. Before you activate the forms, you can evaluate the security implications of remote administration, and then you can decide whether you want to use the HTML Administration Forms to administer FrontPage Server Extensions remotely.

Fpremadm is the utility that actually lets you administer FrontPage Server Extensions remotely. The Fpremadm utility interface is based on the administration utility Fpsrvadm.exe and performs all of the same commands. Fpremadm requires Microsoft Internet Explorer installed on the client computer.

Fpremadm uses Fpadmdll.dll, which is the same server-side ISAPI program as the HTML Administration Forms. Because of this, before you can use Fpremadm, you must install and activate the HTML Administration Forms on the server you want to administer.

Fpremadm uses the same command-line syntax as the Fpsrvadm utility. For example:

fpremadm.exe -adminusername UserAccount -adminpassword
-targetserver https://sample.microsoft.com:1439/fpadmin/scripts/fpadmdll.dll
-o upgrade -p 8234 -m sample.microsoft.com

Note the use of a secured connection and a nonstandard port.

Fpremadm also includes the following arguments that set up the connection to the remote server.

Note   If you are using Windows NT Challenge/Response authentication, you can omit the adminusername and adminpassword arguments.

Top

Administer FrontPage Server Extensions remotely

The HTML Administration Forms and Fpremadm use a similar architecture to perform remote FrontPage Server Extensions administration. Both communicate with Fpadmdll.dll on the server computer, and both in turn run the FrontPage Server Extensions administration utility Fpsrvadm.exe.

Client and server communicate through HTTP by using WinInet. Fpremadm passes its command line to Fpadmdll.dll. Fpadmdll.dll, in turn, passes the incoming command and arguments to the Fpsrvadm utility, which carries out the command.

You can use the HTML Administration Forms from a Web browser on any computer. On the Web server computer, Fpadmdll.dll acts as the form handler for FrontPage Server Extensions HTML Administration Forms. The form handler, Fpadmdll.dll, passes a command and arguments to the Fpsrvadm utility.

Top

Administer security on a remote Web server

Administering remotely makes your Web server less secure than local administration because an unauthorized user can potentially access your Web server from the Internet and modify settings or delete webs. To prevent unauthorized access, use the following precautions:

• Require a user to log on to your Web server with a secure administrator account to access Fpadmdll.dll.
• When you require a secure administrator account, you prevent unauthorized access to your Web server.
• Require a secure connection such as Secure Sockets Layer (SSL) to communicate with Fpadmdll.dll.

  When you require a secure connection, network eavesdroppers cannot read a user name and password.

• Require the use of a nonstandard HTTP port to access Fpadmdll.dll. The standard HTTP port is 80, and the secure, nonstandard HTTP port is 443.

  When you require a nonstandard HTTP port, it is difficult for network eavesdroppers to identify the URL of the HTML Administration Forms, and the remote administration programs.

• Allow only specific IP addresses to access HTML Administration Forms or Fpadmdll.dll.

  When you allow only specific IP addresses access, you prevent unauthorized computers from accessing your HTML Administration Forms or Fpadmdll.dll. Typically, only IP addresses that are associated with the owner of a FrontPage-extended web should have access.

Top

Activate remote administration

When you use either the Fpremadm utility or the HTML Administration Forms to administer your Web server remotely over your network or the Internet, you need to activate the HTML Administration Forms because they make remote administration services available.

Also, you should run the HTML Administration Forms over a secure port, which requires that you install a security certificate on your server. Use the Key Manager application included with Microsoft Internet Information Server (IIS) to make a security certificate request, submit the request to a key authority, and then use the Key Manager application to install the certificate that the key authority returns.

After you install a security certificate, you should enable the HTML Administration Forms either as a separate Web site or as a virtual directory on an existing Web site. Using a separate Web site with a separate IP address makes the forms harder to discover and allows you to enable additional security settings, such as distinct nonstandard port numbers. However, using a separate Web site with its own IP address can be a disadvantage because the number of IP addresses available for you to use might be limited.

When the HTML Administration Forms are located on an NTFS-formatted drive, you can set permissions on the access control list (ACL) of the folder where the forms are located — to control access to the folders. Before you activate the HTML Administration Forms for remote use, determine which individual Microsoft Windows NT accounts that you want to access the HTML Administration Forms. Each individual account that you want to access the forms must be a member of the Administrators group for that computer. You can give access to individual accounts, or you can use the Windows NT User Manager to create a new group account. A group account for administrators allows you to add and remove users from the Administrators group instead of changing the ACL of the HTML Administration Forms folder.

To set or modify the access control list of the HTML Administration Forms folder

1. In Windows Explorer, locate the HTML Administration Forms, and then select the ISAPI folder.

   The default location is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\Version 4.0\Admin.

2. On the File menu, click Properties, click the Security tab, and then click Permissions.
3. Use the Add and Remove buttons to update the list of authorized users and groups in the Name box.

   Remove all users and groups that are not authorized. In particular, remove any groups, the IUSR_computer_name anonymous account, and any wide-access accounts such as EVERYONE.

4. In the Name box, type the SYSTEM account for the computer.

   This account is required to give IIS access to the file during the security validation process.

5. For each user or group in the Name box, set Type of Access to Read.
6. Select Replace Permissions on Subdirectories and Replace Permissions on Existing Files, and then click OK.

You can create a Web site that is used to access only the HTML Administration Forms.

To create a Web site for the HTML Administration Forms

1. Start the IIS Internet Service Manager application, and then open the IIS folder.
2. Right-click the computer object, point to New, and then click Web Site.
3. In the Description box, type a name for the site, and then click Next.
4. Select an IP address for the site, and then click Next.
5. In the Enter the path for your home directory box, type the path to the HTML Administration Form files, clear the Allow anonymous access to this web site check box, and then click Next.
6. Select the Allow Read Access check box, then select the Allow Execute Access check box, and then click Finish.

When you create a Web site for the HTML Administration Forms, you can require SSL on connections to that Web site so that user name and password information are encrypted.

To require SSL on connections to the HTML Administration Forms Web site

1. In the left pane of Internet Service Manager, right-click the icon for the new Web site, then click Properties, and then click the Web Site tab.
2. In the SSL Port box, type a nonstandard port number. The standard HTTP port is 80 and the standard secure HTTP port is 443. Use a port number other than 80 and 443.
3. Click the Directory Security tab, and then click the Secure Communications Edit button.
4. Select the Require Secure Channel check box, and then click OK.

After you set the ACL, create a Web site for the HTML Administration Forms and require SSL. You can use the HTML Administration Forms for remote administration through a URL such as:

https://computer_name:port_number/fpadmin.htm

where computer_name is mapped to the DNS entry for the IP address assigned to the HTML Administration Forms Web site and where port_number corresponds to the port number of the HTML Administration Forms Web site.

You can create a virtual directory to enable access to the HTML Administration Forms on an existing Web site — instead of creating a Web site dedicated to the forms.

To create a virtual directory on an existing Web site for the HTML Administration Forms

1. Start the IIS Internet Service Manager, open the IIS folder, and then open the computer object.
2. Right-click the Web site icon, then point to New, and then click Virtual Directory.
3. In the Alias box, type the alias name for the HTML Administration Forms, and then click Next.
4. In the Enter the physical path of the directory containing the content you want to publish box, type the path to the HTML Administration Form files, and then click Next.
5. Select the Allow Read Access check box, then select the Allow Execute Access check box, and then click Finish.

To configure authentication on the HTML Administration Forms virtual directory

1. In the left pane of Internet Service Manager, right-click the icon for the new virtual directory, then click Properties, and then click the Directory Security tab.
2. In the Password Authentication Method box, click the Edit button.
3. Clear the Allow Anonymous check box.
4. Select either or both Basic Authentication and Windows NT Challenge/Response check boxes, and then click OK.
5. Under Secure Communications, click Edit.
6. Click Require Secure Channel.

To activate the forms for remote administration, use a URL such as https://computername/fpadmin/fpadmin.htm.

Top

See also

Fpremadm.exe uses parameters and commands that are almost identical to Fpsrvadm.exe. For a full description of all the commands available through Fpsrvadm.exe, see How to Use Fpsrvadm.exe.

There are four utilities you can use to perform administrative tasks on a FrontPage-extended web: the FrontPage MMC Snap-in, FrontPage HTML Administration Forms, Fpsrvadm, and Fpsrvrem. For information about which tool you can use to perform a specific task, see Using FrontPage Server Extensions Tools.

Topic Contents   |   Previous   |   Next   |   Top Friday, March 5, 1999 © 1999 Microsoft Corporation. All rights reserved. Terms of use.

License