Security - Public vs Non-Public

[Carolyn]

We have both public and non-public areas of our website. We have discovered
that a Google search will allow link to our non-public pages.

How can we secure those pages that are not for public view? Or where can I
find the information to study and incorporate? If a subweb is the answer, I
have not found a way to secure a subweb from the same problem.

Help!

 

[Stefan B Rusynko]

Depends on how you secured the non-public pages and your meta tags




| We have both public and non-public areas of our website. We have discovered
| that a Google search will allow link to our non-public pages.
|
| How can we secure those pages that are not for public view? Or where can I
| find the information to study and incorporate? If a subweb is the answer, I
| have not found a way to secure a subweb from the same problem.
|
| Help!
| --
| Carolyn
| www.pdpipeline.org/home_page.htm (under construction; not yet published)
| www.tennesseepd.net

 

[Kevin Spencer]

How do you define "public" and "non-public?" If Google can get in, it means
that the "non-public" parts of the site are not secure in any way. It's kind
of like putting a sign on a door in your building that says "Authorized
Personnel Only" and not putting a lock on the door. If you want a part of a
site to be truly non-public, you have to disallow anonymous access to it, or
use server-side software to control entry.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Neither a follower
nor a lender be.

 

[Carolyn]

We are using the FP interface/editor to password protect.

What I hear both of you saying is that is is not the best method. Please
suggest another method. I will learn whatever I need to learn. Send me in
the right direction and provide any reference material links.

 

[Carolyn]

Oh...yes...public means that we want anyone to see the pages. Non-public
means that only someone with an authorized/assigned username and password
should be able to access the pages.

 

[Tom Pepper Willett]

How are you using it to password protect?
--
===
Tom "Pepper" Willett
Microsoft MVP - FrontPage
---
About FrontPage 2003:
http://office.microsoft.com/home/office.aspx?assetid=FX01085802
FrontPage 2003 Product Information:
http://www.microsoft.com/office/frontpage/prodinfo/default.mspx
Understanding FrontPage:
http://msdn.microsoft.com/office/understanding/frontpage/
===
| We are using the FP interface/editor to password protect.
|
| What I hear both of you saying is that is is not the best method. Please
| suggest another method. I will learn whatever I need to learn. Send me
in
| the right direction and provide any reference material links.

 

[Tom Pepper Willett]

How can you allow the public to see the pages and only allow someone with an
authorized/assigned username and password to access the pages?

You need to explain...you can't do both.
--
===
Tom "Pepper" Willett
Microsoft MVP - FrontPage
---
About FrontPage 2003:
http://office.microsoft.com/home/office.aspx?assetid=FX01085802
FrontPage 2003 Product Information:
http://www.microsoft.com/office/frontpage/prodinfo/default.mspx
Understanding FrontPage:
http://msdn.microsoft.com/office/understanding/frontpage/
===
| Oh...yes...public means that we want anyone to see the pages. Non-public
| means that only someone with an authorized/assigned username and password
| should be able to access the pages.

 

[Clark]

Is this a lot of beating around the bush? Isnt the answer to put the
non-public stuff in a password protected subweb?

 

[Carolyn]

Okay...first, we have some pages that are publicly viewed just by visting the
website www.pdpipeline.org ...then we have pages that are accessed via the
two portals at the bottom of the home page. The latter pages have been
indexed by Google, so while they are website password protected, in reality,
they are not truly secure since Google can index them, and by clicking the
link Google provides you can access the "protected" pages that way.

The protected subweb is a reasonable solution which I have thought of, BUT I
can't seem to discover how to protect the pages contained within. The
Help/Assistant tells me how to protect the subweb so that I can give
permission to someone to work in FrontPage and modify pages, but I have not
discovered how to protect the pages within the root directory or a subweb
from being indexed by a search engine.

It has also been suggested that I use a robots.txt. Any opinion about this
method.

Let me know if I am not being clear...I am learning as I go along!!

 

[David Baxter]

Yes, you can use a robots.txt file to stop search engines from indexing
those pages but that's clearly only a small part of the problem, the big
one being, as you note yourself, if spiders can get in your password
protection system isn't working.

 

[Stefan B Rusynko]

You password protect all the pages in a subweb
See http://support.microsoft.com/default.aspx?scid=kb;en-us;825451
Your host will have to support subwebs and unique permissions under the FP Server Extensions




| Okay...first, we have some pages that are publicly viewed just by visting the
| website www.pdpipeline.org ...then we have pages that are accessed via the
| two portals at the bottom of the home page. The latter pages have been
| indexed by Google, so while they are website password protected, in reality,
| they are not truly secure since Google can index them, and by clicking the
| link Google provides you can access the "protected" pages that way.
|
| The protected subweb is a reasonable solution which I have thought of, BUT I
| can't seem to discover how to protect the pages contained within. The
| Help/Assistant tells me how to protect the subweb so that I can give
| permission to someone to work in FrontPage and modify pages, but I have not
| discovered how to protect the pages within the root directory or a subweb
| from being indexed by a search engine.
|
| It has also been suggested that I use a robots.txt. Any opinion about this
| method.
|
| Let me know if I am not being clear...I am learning as I go along!!

 

[Andrew Murray]

provide password access.....not much will stop search engines crawling the net -
including secured pages.

 

[Andrew Murray]

I presume she means some pages are password protected, others are publicly
accessible.

 

[Tom Pepper Willett]

Search engines will not crawl properly password protected secured pages.
I'm not, of course, referring to JavaScript password pages.
--
===
Tom "Pepper" Willett
Microsoft MVP - FrontPage
---
About FrontPage 2003:
http://office.microsoft.com/home/office.aspx?assetid=FX01085802
FrontPage 2003 Product Information:
http://www.microsoft.com/office/frontpage/prodinfo/default.mspx
Understanding FrontPage:
http://msdn.microsoft.com/office/understanding/frontpage/
FrontPage 2002 Server Extensions Support Center:
http://support.microsoft.com/default.aspx?scid=fh;en-us;fp10se
===
| provide password access.....not much will stop search engines crawling the
net -
| including secured pages.
|
| | > We have both public and non-public areas of our website. We have
discovered
| > that a Google search will allow link to our non-public pages.
| >
| > How can we secure those pages that are not for public view? Or where
can I
| > find the information to study and incorporate? If a subweb is the
answer, I
| > have not found a way to secure a subweb from the same problem.
| >
| > Help!
| > --
| > Carolyn
| > www.pdpipeline.org/home_page.htm (under construction; not yet published)
| > www.tennesseepd.net
|
|

 

[Clark]

Carolyn, when you click on either link at the bottom of your page you
are asked for credentials. Are you saying that the username and password
requested there are the username and password you put in place for the
corresponding subweb?

The subweb is normally protected by a username and password applied
either by FP while working on the live site (if the host provider allows
that), or commonly, someone at the host provider has to do it for you.

Have you dont this and google is still indexing your pages, or am I
missing something?

 

[Kevin Spencer]

two portals at the bottom of the home page. The latter pages have been

indexed by Google, so while they are website password protected, in

reality,

I don't know what "website password protected" means. Can you explain that
to me in technical terms? As it stands, it could mean any of a half-dozen
things.

It has also been suggested that I use a robots.txt. Any opinion about this
method.

Waste of your time. Your problem isn't web-crawling robots, it's people. The
point I made yesterday was that if the web crawlers can access your pages,
anyone can, as anonymous browsing is allowed by the web server. Telling the
robots to stop looking at the pages will prevent the robots from viewing the
pages, but it isn't the robots you need to worry about. And people don't
read or obey robots.txt files.

The issue is a web server permissions issue. The pages need to reside in a
web that disallows anonymous access, requires login to view. Or the pages
must be protected by server-side software, such as ASP, that requires a
login, and prevents un-logged-in users from accessing the pages. The easiest
thing to do in your case would be to create a subweb that disallows
anonymous access. If you don't understand, talk with your network
administrator about it.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Neither a follower
nor a lender be.

 

[Carolyn]

Thank you all so much for the advise. I will check out all the comments and
see what I can get accomplished. I will let you all know if I am
successful...or not...LOL

 

[Carolyn]

Thanks to everyone for the comments. I am "back to work"...so to speak

First, I have read "How to set up a restricted-access Web by using FrontPage
2003" at http://support.microsoft.com/default.aspx?scid=kb;en-us;825451
which applies to permission to access a subsite to modify content, for
example. Do I have that correct? If this is correct, it is not the solution
to my problem. I do know how to create subsites, I just don't have the
knowledge to protect the subsite so that only authorized users can "view"
online the pages contained within the subsite.

Second, I have used FP Database Interface Wizard to create the interface
that I have used to create the usernames and passwords that were provided to
the authorized users. If you are not familiar with the FP interface, then I
don't know how else to describe it.

Third, "password protected" means that I have provided unique
usernames/passwords to authorized project members so that they can access,
via the portals at the bottom of the homepage, certain pages contained within
the web. We DO NOT want a non-authorized people, such as the public, to
access these pages.

Fourth, if "first" above is correct, then if I remove the "keywords" and
"description" from the meta, will that keep the spiders from indexing the
pages in question, keeping non-authorized users out of the private pages.

Fifth, if "first" above is correct, and if removing the meta content is not
the answer, what can I use to protect these pages from spiders...surely there
is a way. I will learn whatever I need to learn to accomplish the task. It
seems that protecting a subsite is the answer, so that even if a spider
should index a page and a non-authorized user attempts to access the page via
search engine results, the attempt will fail.

Sixth, we no longer have a hosting company. We are our own hosting company,
which is a disadvantage for this novice user. Long story made short...a
company has has provided us a server for free.

Seventh, pro bono website development is hard to find. We did have a
volunteer who did recruit a couple of techie friends to do some development
for us, but they didn't have enough pro bono time to commit to the project
and dropped out along the way...I assume that giving up personal time was too
much. So, we are on our own again.

From the project director down the ladder, we are a bunch of people with
Parkinson's who have pursued a goal for two years now...volunteers working
for free, trying to boost participation in clinical trails. The longer it
takes to recruit the sufficient number of patients into trials, the longer
the trail takes to complete, which adds time to the already average 15 years
to get a treatment from concept to pharmacy shelves.

I have so many comments and questions about this whole protection thing, I
hope you can be patient with me!

 

[Thomas A. Rowe]

If you want to setup a restricted access subweb/site via the FP extensions, then you would create
and open the subweb/site on the remote server via FP and set the permission, if your host allows
this feature.

If you want to use a database (Access) and ASP/VBScript then you have to write the login script,
etc. by hand or purchase a pre-written script, however you can only protect .asp pages, you can not
protect the folder or other non-html type documents, such as .doc, .pdfs, images, etc.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, WebCircle, MS KB Quick Links, etc.
==============================================