IIS 5 & IIS 6
What do I replace FPSE with?
Last post Jun 07, 2010 07:26 PM by robmcm
Apr 30, 2010 11:07 AM|igiblet|LINK
We have 4 different environments with some environments containing 9 servers. We currently use FrontPage Server Extensions to manage permissions for our hundreds of developers over about 750k files. We are stuck on Win2k3 / iis6 because of this. I have
read on webdav a bit but am looking to ask what everyone is doing to replace the permission management portion of FPSE for large amounts of files+developers?
Apr 30, 2010 11:21 AM|tomkmvp|LINK
Straight-up NTFS permissions on application root folders.
Apr 30, 2010 12:10 PM|igiblet|LINK
That is not what I wanted to hear :(
Apr 30, 2010 02:22 PM|igiblet|LINK
Are there any decent third party products?
Apr 30, 2010 09:34 PM|steve schofield|LINK
Nothing like FPSE exists as far as I know. There is FPSE on IIS 7 but the support was put to a 3rd support,
Not sure that helps. I would abandon FPSE if at all possible for longer term architecture.
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
May 03, 2010 10:38 AM|igiblet|LINK
I completely agree in ditching FPSE. I need to replace the security management portion. The skinny is that we have many developers who currently can manage permissions to their subwebs. If at all possible I want to start building 2008/iis7.x servers instead
of putting 2003 boxes out there. The crux is that i'm certain the dev's will flip their lids if i snatch their permissions to manage access to their subwebs. I would love to move to NTFS and be done with it but the environment here may not allow for that.
Thanks for any suggestions.
May 25, 2010 12:44 PM|hillb|LINK
We went through this exact scenario. If you have the development staff available, WebDAV is the way to go. We replaced a 4 server, 750 site FPSE intranet architecture with a 2 server 2K8 WebDAV architecture recently, and our users love it.
Our big hurdle was self management, and we ended up using the Microsoft.Web.Administration API to write a series of web services that greatly simplify, and largely automate, permissions management in IIS.
In a nutshell: We created a web service that deploys each subweb and folder programmatically on the server with a custom apppool. At the NTFS level we leave the permissions wide open, with all members of our AD having write access. This isn't as much of
a security risk as it sounds, as the drives aren't shared and the ONLY access to these folders is through our IIS WebDAV implementation. We manage access permissions directly through WebDAV, again using the Microsoft.Web.Administration API. We never have to
touch IIS directly, everything is managed via our custom management applications.
Our architecture uses a small external database to store subweb/user relationships, which allows us to differentiate between subweb "owners" and "editors". Because we have that information, we were able to extend the functionality of the webapps to the
users themselves, allowing subweb "owners" to add or remove additional users from their own sites without the intervention of our IT staff.
Our users actually tell me that they prefer the new system to the old FrontPage architecture, but this route DOES require a considerable developer time investment to implement and debug. I believe that the entire developement project took two full time
C# .Net developers about two weeks from initial planning to user beta testing (both were experienced .Net developers, but neither had used this API before). I don't believe that there are any off the shelf applications that can do this, so developing in-house
(or hiring a consultant) is the only option. If you have the resources, it's worth the effort though.
May 25, 2010 03:29 PM|tomkmvp|LINK
Very cool! Maybe you want to market that ...
May 25, 2010 04:37 PM|hillb|LINK
I wish, but that's not an option. I work for a government agency, and because the project was paid for using taxpayer dollars, we can't sell it. We did toy with the idea of open sourcing it for a while (we can't sell it, but we can give it away), but doing
that would require a couple of audits to ensure that we're not revealing any architectural secrets or violating anyone's IP. We can't get the authorization to spend any staff time on those audits, so it remains an internal tool only.
It's really not a difficult tool for any experienced .Net developer to assemble, and the included IIS System Configuration tool is even kind enough to generate sample code for most of the more involved requests. The real question is whether it's worthwhile
for an organization to invest a months worth of developer/days into something like this. For most smaller FPSE users, it's probably not. For ISP's and enterprise installations, it may be. It certainly was worthwhile for us (6k+ users on 700+ sites).
Our only other option was implementing FTP. We had a very strictly enforced "No FTP" rule in place from the mid-90's up until last month (because of security vulnerabilities and support issues), so our users and management both freaked out when we proposed
replacing FPSE with FTPES. The WebDAV solution required additional effort, but ultimately made everyone happy.
Jun 07, 2010 07:26 PM|robmcm|LINK
For what it's worth, I wrote a blog post series some time ago that was titled "Life after FPSE" that has some helpful information:
I also wrote the following walkthroughs with some additional helpful WebDAV information:
BTW - I loved the solution of managing the WebDAV authoring rules using the IIS administration APIs, that makes for a great replacement for the FPSE administration features. Great idea. ;-]