Condividi tramite


How to lock down external anonymous access SharePoint sites

Securing SharePoint and related infrastructure becomes very important for External/Internet websites running on SharePoint 2007 and available to anonymous users. Detailed security guidance for such a scenario is available in the Technet article - Plan security for an external anonymous access environment (Office SharePoint Server).

Lockdown Mode

One of the steps mentioned in the above article is to enable the “Lockdown” mode. Lockdown mode is a feature that you can use to secure published sites. By enabling lockdown mode on a site, you can restrict the permissions for anonymous users.

Permission

Limited access — default

Limited access — lockdown mode

List permissions: View Application Pages

Y

Site permissions: Browse User Information

Y

Y

Site permissions: Use Remote Interfaces

Y

Site permissions: Use Client Integration Features

Y

Y

Site permissions: Open

Y

Y

When lockdown mode is turned on, fine-grain permissions for the limited access permission level are reduced. It is applied to sites under the following circumstances:

  • The Stsadm.exe command-line tool is used to turn lockdown mode on.
  • The Publishing Portal site template is applied to the site collection. By default, lockdown mode is turned on when this template is applied.

For more information about lockdown mode in SharePoint 2007, see the "Use lockdown mode" section in article linked above.

What else needs to be done?

Even when lockdown mode is enabled, anonymous users can still access certain SharePoint Server application URLs, such as pages in the _layouts directory and Web services that are exposed in the _vti_bin directory. So, to increase security, you should enable lockdown mode and also modify the Web.config file.

The article - Locking down Office SharePoint Server sites describes how to modify the Web.config file to restrict access to these additional resources. Sample XML from the article, showing what XML statements to add to the Web.config file are pasted below:

<?xml version="1.0" encoding="utf-8" ?>

<actions>

  <add path="configuration">

    <location path="_layouts">

      <system.web>

        <authorization>

          <deny users="?" />

        </authorization>

      </system.web>

    </location>

    <location path="_vti_bin">

      <system.web>

        <authorization>

          <deny users="?" />

        </authorization>

      </system.web>

    </location>

    <location path="_layouts/login.aspx">

      <system.web>

        <authorization>

          <allow users="?" />

        </authorization>

      </system.web>

    </location>

    <location path="_layouts/error.aspx">

      <system.web>

        <authorization>

          <allow users="?" />

        </authorization>

      </system.web>

    </location>

    <location path="_layouts/accessdenied.aspx">

      <system.web>

        <authorization>

          <allow users="?" />

        </authorization>

      </system.web>

    </location>

  </add>

</actions> 

Based on your specific requirements of giving anonymous users access to specified pages in the _layouts directory and/or services in the _vti_bin directory, you can modify the XML accordingly and follow deployment process given in How To: Add Custom Configuration Settings to Extend a Web Application article.

Comments

  • Anonymous
    January 01, 2003
    IB, Michael, Yes this works for 2010 also. If not enabled, then lockdown feature (ViewFormPagesLockDown)  normally enabled by default  for Publishing sites and make the required changes to the web.config as described above.

  • Anonymous
    January 05, 2011
    Is this possible with 2010 also?

  • Anonymous
    March 07, 2012
    how abouyt sharepoin 2010 ? Could it work it there?

  • Anonymous
    May 02, 2012
    The comment has been removed