Our company just migrated to a new Web server, on which we've installed Microsoft FrontPage 2002 Server Extensions. These extensions are necessary because several of our users use FrontPage to author remotely to our Web server. This scenario worked fine with our old server, but our remote users can't connect to the FrontPage extensions or do any authoring on the new server. The problem seems to involve authentication, and when I give these users the ability to log on to the server through Windows 2000 Server Terminal Services, they can run FrontPage and author pages with no problem. I can't have users logging on to the server on a regular basis, so I need to solve this problem. Do you have any ideas?
I've run into this problem before; it relates to the security restrictions in effect on the server. Specifically, the person who configured your server probably set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey's RestrictAnonymous value to 2, either manually or through the use of Win2K's High Security security template. (The Microsoft article "How to Use the RestrictAnonymous Registry Value in Windows 2000" at http://support.microsoft.com/?kbid=246261 thoroughly describes this registry value.) This setting effectively removes the Everyone group from the access token that nonauthenticated users (i.e., users who don't log on with a valid user account from the server's local user accounts database or the server's domain user accounts database) use to access the server. The result is that these accounts are denied access to certain system resources that typically are accessible under different RestrictAnonymous values (i.e., values of 0 or 1). Although a RestrictAnonymous value of 2 creates a more secure system, which is certainly desirable for any server, and particularly a public Internet server such as yours, the setting can interfere with certain services and applications. FrontPage is one of these applications (and the need to use a less secure RestrictAnonymous value is just one of the reasons that using FrontPage on a public server introduces security risks).
To resolve the problem, change the RestrictAnonymous value to 1. You can also adjust this setting through the Microsoft Management Console (MMC) Group Policy Editor (GPE) snap-in, which enumerates the setting as the Additional restrictions for anonymous connections policy under Local Computer Policy\WindowsSettings\Security Settings\Local Policies\Security Options, as Figure 1 shows. The registry values of 0, 1, and 2 map to the policy settings of None. Rely on default permissions; Do not allow enumeration of SAM accounts and shares; and No access without explicit anonymous permissions, respectively.
