Home > anonymous, built-in, internet facing, lock, _layouts > Locking down _layouts/_vti_bin & built in SharePoint pages on Anonymous Internet facing sites

Locking down _layouts/_vti_bin & built in SharePoint pages on Anonymous Internet facing sites


On internet facing anonymous sites you may have noticed that your SharePoint Forms pages are also accessible to anonymous users. For example, if you’re using the publishing features, anonymous users might be able to get to

http://{servername}/Pages/Forms/AllItems.aspx

Which is a security concern and we really do not want. MOSS 2007 provides a feature called as “ViewFormPagesLockdown” which helps to lock down access to these pages for anonymous users

stsadm.exe –o activatefeature –url -filename ViewFormPagesLockdown\feature.xml

Running the above command will enable the lockdown for Form pages.

Please Note:

  1. If you already had anonymous access enabled, you’ll need to disable it, then enable it again. 
  2. Go to the _layouts/setanon.aspx page, switch anonymous access off, click OK, then go back and set it to on, click OK. 
  3. You should now get an authentication prompt when you try to navigate to a forms page. 

However, even when lockdown mode is enabled, anonymous users can still access certain Office SharePoint Server application URLs, such as pages in the _layouts directory and Web services that are exposed in the _vti_bin directory. To lock down these pages as well you will need to make some changes to the web.config file of your SharePoint site as shown below

The following XML fragment first denies anonymous users access to all pages in the _layouts and _vti_bin directories, and then allows anonymous users access to three specific pages in the _layouts directory (these are required for SharePoint to function correctly). The question mark (?) represents anonymous users. These restrictions do not apply to authenticated users


  
    
      
        
    
  
 
  
    
      
        
    
  
 
  
    
      
        
    
  
 
  
    
      
        
    
  
 
  
    
      
        
    
  
 

To allow anonymous users to authenticate themselves with the server, you should ensure that they have access to the following pages:

  1. _layouts/login.aspx
  2. _layouts/accessdenied.aspx
  3. _layouts/error.aspx

If you deny anonymous users access to any of these pages, Office SharePoint Server will not function properly.

Advertisements
  1. August 9, 2010 at 2:39 PM

    One question though:If you have search configured, which is crawling the attachments against any list item (say pdf's). On the search result page, user will find a link to dispform.aspx. Which is correct if it is an attachment, but incorrect when it is a list item. As it will show all the details about that item, which were supposed to be hidden from user other than administrator.

  2. August 9, 2010 at 10:52 PM

    That's correct…but there is no elegant solution available for the issue…maybe Microsoft has come up with some better solution in SP 2010.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: