How to remediate – Microsoft FrontPage Extensions Check

1. Introduction

The Microsoft FrontPage Extensions Check identifies whether FrontPage extensions are enabled on a web server. These extensions allow remote content modification, which is normal for internal networks but risky if exposed to the internet. A successful exploit could lead to unauthorised changes to website files. This poses a medium risk to confidentiality, integrity and availability of affected websites.

2. Technical Explanation

FrontPage extensions provide functionality allowing web developers to manage content remotely. The root cause is typically an insecure default configuration where these extensions are enabled without restriction. An attacker could exploit this by directly modifying website files or injecting malicious code. CVE-2000-0114 details a specific vulnerability related to FrontPage extension access control.

• Root cause: Default installation of FrontPage extensions allows remote access.
• Exploit mechanism: An attacker could upload, modify, or delete web content via the FrontPage protocol if anonymous access is permitted. For example, an attacker could use a FrontPage client to connect and alter index.html.
• Scope: Web servers running Microsoft IIS with FrontPage extensions enabled are affected.

3. Detection and Assessment

Confirming vulnerability involves checking extension status and access permissions. A quick check can be done via the IIS Manager, while a thorough method uses command-line tools.

• Quick checks: Open IIS Manager, navigate to “Handler Mappings”, and look for entries related to FrontPage extensions (e.g., `FrontPage_Server`).
• Scanning: Nessus plugin ID 20834 can detect exposed FrontPage extensions as an example.
• Logs and evidence: Check IIS logs for requests targeting the `_fpclass` virtual directory or files with `.fp` extension.

appcmd list handlers | findstr "FrontPage"

4. Solution / Remediation Steps

Fixing this issue involves disabling FrontPage extensions and restricting access. These steps should be performed carefully to avoid disrupting legitimate services.

4.1 Preparation

• Dependencies: None. Roll back plan is to re-enable the FrontPage extensions via IIS Manager.
• Change window: A standard maintenance window is recommended. Approval from the web team lead is advised.

4.2 Implementation

1. Step 1: Open IIS Manager.
2. Step 2: Navigate to “Handler Mappings”.
3. Step 3: Locate and remove all handler mappings related to FrontPage extensions (e.g., `FrontPage_Server`).
4. Step 4: Restart the website or the entire server for changes to take effect.

4.3 Config or Code Example

Before

Handler Mappings:
FrontPage_Server  *.fp   C:inetpubwwwroot_fpclassdefault.aspx 

After

Handler Mappings:
(No FrontPage related entries) 

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue and similar vulnerabilities.

• Practice 1: Least privilege – only install necessary components, avoiding unnecessary attack surfaces like unused extensions.
• Practice 2: Secure defaults – configure systems with the most restrictive settings possible by default.

4.5 Automation (Optional)

# PowerShell example - use with caution!
Get-IISHandlerMapping | Where-Object {$_.Name -like "*FrontPage*"} | Remove-IISHandlerMapping -Confirm:$false 

5. Verification / Validation

Verify the fix by confirming extensions are disabled and attempting a negative test.

• Post-fix check: Run `appcmd list handlers | findstr “FrontPage”`. Expected output should be empty.
• Re-test: Repeat the IIS Manager check from step 3 in Detection and Assessment; FrontPage entries should no longer exist.
• Monitoring: Check IIS logs for any attempts to access `_fpclass` or `.fp` files.

appcmd list handlers | findstr "FrontPage" 

6. Preventive Measures and Monitoring

Update security baselines and implement checks in deployment pipelines.

• Baselines: Update your IIS hardening baseline to explicitly disable FrontPage extensions.
• Pipelines: Include a check in your CI/CD pipeline to ensure FrontPage extensions are not enabled during deployments.
• Asset and patch process: Review server configurations regularly for unnecessary components or insecure settings.

7. Risks, Side Effects, and Roll Back

Removing FrontPage extensions may impact legacy applications that rely on them.

• Risk or side effect 1: Legacy websites using FrontPage features will be broken. Mitigation is to migrate these sites away from FrontPage.
• Roll back:
  1. Open IIS Manager.
  2. Navigate to “Handler Mappings”.
  3. Add the removed FrontPage handler mappings back in.
  4. Restart the website or server.

8. References and Resources

• Vendor advisory or bulletin: Microsoft Security Bulletin MS00-016
• NVD or CVE entry: CVE-2000-0114
• Product or platform documentation relevant to the fix: IIS Handler Mappings Documentation