Drawing the Curtain: Removing Access to the Site Settings Page for non-Administrative Users

 

NOTE:  In this article, I discuss making some changes to SharePoint which are unsupported by Microsoft.  As an employee within the Support realm, I want to stress that the CheckPermissions() solution below is currently unsupported by Microsoft -- if you make the change, you are on your own.  :)  That said, I have gone ahead and discussed some of the ramifications of making the change, because I think that the solution is a good one despite its being unsupported.  In short -- you've been warned.

 

You might have noticed that authenticated users granted Reader access to a SharePoint site also have access to the Site Settings page:  _layouts/<LCID>/settings.aspx.  Although these users will typically have no rights to access any of the pages linked therein, it might be desirable to remove access to the settings.aspx page altogether, so that non-Administrative users don't even have the option to see what can be done from an administrative perspective.  Honestly, I'm really not sure why this page is able to be viewed by non-Administrative users to begin with, but that's irrelevant;  it is viewable, and I want to change that.

 

I have two options, one supported and one unsupported

 

1)  Somewhat complicated, but supported:  write a wildcard-mapped ISAPI extension

 

2)  Simple, but strictly not supported:  drop a CheckPermissions() call onto the settings.aspx page

 

I've covered both of these options in more detail below:

 

*****

 

ISAPI Extension

 

Although writing an ISAPI extension isn't a particularly simple task, and requires knowledge of C++ programming, etc., it is a possible (and supported) solution.  Essentially, I would need to create an wildcard-mapped ISAPI extension that examined each request.  I would start by checking the requested URL by looking in the VTI_SCRIPT_NAME server variable.  If that request was for a _layouts page (settings.aspx in particular), my ISAPI extension could check the authentication type and/or authentication user from the server variables (AUTH_TYPE, and AUTH_USER). 

 

If, for example, the AUTH_USER server variable were blank, the ISAPI extension could redirect by posting a 302 Redirect to some other URL -- including, for example, a custom error page somewhere.

 

The IIS SDK includes ISAPI extension samples, including a wildcard-mapped ISAPI extension sample.  Here's a link to the Platform SDK Update site, where you can obtain any of the various platform SDK modules:

 

https://www.microsoft.com/msdownload/platformsdk/sdkupdate/

 

I would start with the WildcardMap sample provided in the SDK (...\Microsoft SDK\Samples\web\iis\ISAPI_6.0\WildCardMap).  This sample is specifically designed to capture *every* request.  To use this with IIS, I'll need to register the built ISAPI extension within IIS. 

 

NOTE: With Windows Server 2003 and with SharePoint Portal Server (or Windows SharePoint Services), there are some additional steps required to get the ISAPI extension functioning, which I cover below.

 

Once built, I can simply open up the IIS management console, right-click the web site I want to register the ISAPI with to get the web site properties, and choose the "Home Directory" (or "Virtual Directory" if this is a virtual directory rather than a web site) tab. 

 

Click the "Configuration..." button to open the "Application Configuration" dialog.  Under the "Wildcard application maps" section, choose "Insert..." and enter the path to my built DLL (or choose "Browse..." to find it).  IMPORTANT:  to use an ISAPI extension with Sharepoint, I must UN-check the "Verify that file exists" checkbox.

 

Apply all of those changes to the web site or virtual directory.

 

Next, in IIS management console, I select "Web Server Extensions."  This will bring up a list of the allowed and prohibited extensions.  I'll need to click on "Add a new Web service extension..." give the Extension a name, provide a link to the built DLL, and set the status to "Allowed."

 

At that point, my ISAPI extension should be ready to work.

 

CheckPermissions()

 

There *is* an alternative workaround, which -- unfortunately -- is not supported by Microsoft.  If I open one of the various administrative ASPX pages in Visual Studio.NET (or Notepad, for that matter) and view the code, I can see that there is an explicit check for role-based permissions.  For example, in User.ASPX, which is located at x:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\Template\Layouts\1033\user.aspx, the line of code which checks permissions looks like this:

 

=====

<% spWeb.Permissions.CheckPermissions(SPRights.ManageRoles); %>

=====

 

This line checks to see if the current user has the ManageRoles right.  If so, the user is allowed to view the page;  if not, the user is prompted for authentication.  In contrast, the Settings.aspx page -- the first that a user sees after clicking on "Site Settings" in a WSS site -- contains no such permissions check.

 

The SPRights enumeration is covered in the MSDN Library at the location below:

 

=====

SPRights Enumeration

=====

 

This enumeration contains various rights that can be assigned to a user.  For example, the ViewPages right allows a user to view pages within a WSS Site.  It would be possible -- though, again, not supported -- to add a line of code like the one above to the various administrative settings pages that you wanted to restrict to Administrative users only.  For instance, if I wanted to restrict access to the Settings.aspx page only to users who have the ManageWeb right, I could include the following line of code in settings.aspx (existing/surrounding code included for reference, new code in bold):

 

=====

SPWeb spWeb = SPControl.GetContextWeb(Context); %>

<% spWeb.Permissions.CheckPermissions(SPRights.ManageWeb); %>

<HEAD>

=====

 

With this code in place, when a user attempts to go to the settings.aspx page, Sharepoint will check to see if they have the ManageWeb right;  if so, they can view the page -- if not, they'll be denied access and prompted for credentials.

 

The big caveat, as I've mentioned, is that this solution is not supported by Microsoft.  We do not support making any direct modifications to the code used in any of the pages in the LAYOUTS directory.  What this means is that if you were to apply this change and later were to run into any problems on your server, Microsoft PSS would require that the change be rolled back before any assistance could be given.  Additionally, Microsoft has reserved the right to overwrite any of the default (out-of-the-box) files located in the LAYOUTS directory in any future service packs or updates.  Such an overwrite would wipe out changes, so I would need to be aware of the changes that I've made so that I could re-implement in such a case.

 

*****

 

There is one scenario in which this isn't an issue:  Anonymous access over the internet.  If I have setup a SharePoint site to allow anonymous authentication, and a user browses to my site, they can view pages such as default.aspx just fine.  As soon as they attempt to view settings.aspx, though, they will be prompted.  Because the user is not on my domain, Windows Integrated authentication cannot negotiate authentication to settings.aspx, and the user will be prompted.

Comments

• Anonymous
  February 23, 2005
  good ideas...
  
  one thing i did similar to the isapi might be an easier implementation accomplishing the same goal -- i wrote an HttpHandler -- basically the same thing, but the handler sniffed out the request for that specific path (and others, namely manage users) and did its voodo based on the person.

• Anonymous
  March 01, 2005
  Some comments about security feature missing in sharepoint.

• Anonymous
  March 16, 2005
  Ryan,<br><br>While I understand the unsupported model when you start messing with the files in the LAYOUTS directory, I don't see why this would be unsupported except for that fact. I mean, if all the other pages have the call to CheckPermissions was it just an oversight on the original creators part to not include it? Maybe it would be better to have it changed in a service pack so it would be supported? Unless there's something on that page that a user without the Manage Web right would need?

• Anonymous
  June 05, 2006
  The comment has been removed

• Anonymous
  October 24, 2006
  Very informative post about <a href="http://luckynugget.bravehost.com/shopping-tv.html"">http://luckynugget.bravehost.com/shopping-tv.html" title="shopping tv">shopping tv</a> and [URL=http://luckynugget.bravehost.com/shopping-tv.html]shopping tv[/URL]

• Anonymous
  October 25, 2006
  I 'm so [url=http://access.122mb.com]lucky[/url] on having what I have! Just visit [url=http://access.serverheaven.net]my site[/url]. Just see it! And good luck in yours [url=http://access.122mb.com]search[/url].

• Anonymous
  October 25, 2006
  Thank you for this great post about <a href="http://sarahcadman.bravehost.com/car-rental-cyprus.html"">http://sarahcadman.bravehost.com/car-rental-cyprus.html" title="car rental cyprus">car rental cyprus</a> and [URL=http://sarahcadman.bravehost.com/car-rental-cyprus.html]car rental cyprus[/URL]

• Anonymous
  October 27, 2006
  The comment has been removed

• Anonymous
  November 28, 2006
  <a href= http://forum.lixium.fr/cgi-bin/liste.eur?wellbut > wellbutrin sr </a> [url= http://forum.lixium.fr/cgi-bin/liste.eur?wellbut ] wellbutrin medication [/url]

• Anonymous
  November 30, 2006
  <a href= http://forum.lixium.fr/cgi-bin/index.eur?mitsu > wellbutrin xl </a> [url= http://forum.lixium.fr/cgi-bin/index.eur?mitsu ] wellbutrin side effects [/url]

• Anonymous
  December 18, 2006
  I really enjoyed this page. I will be linking and I will be trying to read and research all that there is to offer from this site! Would you please also visit my site? <a href=  ></a> [url=][/url]

• Anonymous
  January 18, 2007
  Hi, good morning to all of you... Nice Guestbook ;-) !! <a href= http://docs.google.com/View?docid=df2wwh2p_7c7mc89 >Debt Consolidation</a> [url=http://docs.google.com/View?docid=df2wwh2p_7c7mc89]Debt Consolidation[/url]  bye

• Anonymous
  January 21, 2007
  Thank you! http://symy.jp/?Ct_220745,Thank">http://symy.jp/?Ct_220745,Thank you! http://symy.jp/?Ct_220745

• Anonymous
  February 19, 2007
  L'information interessante que vous avez! I'am allant revenir bientot.

• Anonymous
  February 22, 2007
  Great site! Good luck to it's owner!

• Anonymous
  February 24, 2007
  pagine piuttosto informative, piacevoli =)

• Anonymous
  March 05, 2007
  I have already enjoy your website, and it is so nice and cool. I will visit your website again. Thank you. Please More updates

• Anonymous
  March 10, 2007
  Looks great! I found lots of intresting things here. Many thanks. Nice site. Cheers!

• Anonymous
  March 19, 2007
  Nice site! Cheak my site to! It is fresh idea i think ;) <a href= http://plavix.stormloader.com >plavix</a>

• Anonymous
  March 20, 2007
  Hey, guys! Great site. I bookmark this place and waiting for me tommorow! <a href="http://exercise.fitness-vip.info/exercise.html ">exercise</a> [url=http://exercise.fitness-vip.info/exercise.html ]exercise[/url] http://exercise.fitness-vip.info/exercise.html

• Anonymous
  March 20, 2007
  Hey, guys! Great site. I bookmark this place and waiting for me tommorow! <a href="http://exercise-bike.exercise-vip.info/exercise-bike.html ">exercise bike</a> [url=http://exercise-bike.exercise-vip.info/exercise-bike.html ]exercise bike[/url] http://exercise-bike.exercise-vip.info/exercise-bike.html

• Anonymous
  March 20, 2007
  Thank You for help. See you tomorow. <a href= http://www.charger-dodge.blog.com.es/ > charger dodge</a> | http://www.charger-dodge.blog.com.es/

• Anonymous
  March 23, 2007
  Respect you!Added to favorites!!Nice site! This is my site: http://babyslinghammock.blogspot.com

• Anonymous
  March 23, 2007
  The comment has been removed

• Anonymous
  March 24, 2007
  Hello! Did u ever heard about CSS...? it will help your site. DS2_sp_1

• Anonymous
  March 24, 2007
  Hello! Respect guys. Thanx for such interesting site. DS2_sp_2

• Anonymous
  March 27, 2007
  Looks great! I found lots of intresting things here. Many thanks. Nice site. Cheers!

• Anonymous
  March 29, 2007
  Hello, <a href=http://iwrrwyjq.tripod.com/april-fools-day.html>april day fools joke</a> <a href=http://iwrrwyjq.tripod.com/april-fools-day.html>April Fools Emails</a> <a href=http://iwrrwyjq.tripod.com/april-fools-day.html>april best fools joke</a> End ^) cya

• Anonymous
  March 30, 2007
  Very nice! I have some LJ with news, check this out: <a href= http://michelas.livejournal.com >My live journal</a> <a href= http://homerius.livejournal.com >Lastest news</a> <a href= http://johnyknoxw.livejournal.com >My live journal</a>

• Anonymous
  March 31, 2007
  Very nice! I have some LJ with news, check this out: <a href= http://iwantubadlyz.livejournal.com >Newest news</a> <a href= http://annakubat.livejournal.com >Check this out</a> <a href= http://jackie_simpson.livejournal.com >livejournal</a>

• Anonymous
  April 04, 2007
  Added to favorites!!Respect you! This is my site: http://matress.iespana.es http://matress.iespana.es/cleaning-a-soiled-mattress.html http://matress.iespana.es/atlanta-cheap-mattress.html

• Anonymous
  April 04, 2007
  Very nice! I have some sites with news, check this out: <a href= http://nuhost.info >Politics news</a> <a href= http://susearch.info >Lastest news</a> <a href= yanasearch.info >Lifestyle news</a>

• Anonymous
  April 05, 2007
  Added to favorites!!Respect you! This is my site: http://matress.iespana.es http://matress.iespana.es/doctor-approved-chiropractic-mattress.html

• Anonymous
  April 13, 2007
  Hello, nice site look this: http://jewl.info/big-pine-key-fishing-lodge http://jewl.info/compact-flourescent-twist-in-lamps http://jewl.info/big-pine-key-fishing-lodge AST_spmt3

• Anonymous
  April 16, 2007
  adidas calciowarm up http://adidascalciowarmup.blogspot.com

• Anonymous
  April 16, 2007
  Hey, guys! Great site. I bookmark this place and waiting for me tommorow! <a href="http://users2.nofeehost.com/italian4/cibo-geneticamente-modificato.html ">cibo geneticamente modificato</a> [url=http://users2.nofeehost.com/italian4/cibo-geneticamente-modificato.html ]cibo geneticamente modificato[/url]

• Anonymous
  April 20, 2007
  mattress giant shop smart sleep better http://matress.iespana.es/mattress-giant-shop-smart-sleep-better.html atlanta natural latex mattress http://matress.iespana.es/atlanta-natural-latex-mattress.html http://matress.iespana.es/map.html

• Anonymous
  April 22, 2007
  My compliments to a very nice website. I found lots of intresting things here. Many thanks. Good Work dude!

• Anonymous
  April 23, 2007
  Hey, guys! Great site. I bookmark this place and waiting for me tommorow! <a href="http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11 ">Good job! Very useful info!</a> [url=http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11 ]Good job! Very useful info![/url] http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11

• Anonymous
  April 23, 2007
  Good job! Very useful info! <a href="http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11 ">Hey, guys! Great site. I bookmark this place and waiting for me tommorow!</a> [url=http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11 ]Hey, guys! Great site. I bookmark this place and waiting for me tommorow![/url] http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11

• Anonymous
  April 25, 2007
  Hi i'm drocher. Good day,Hi i'm drocher. Good day

• Anonymous
  April 27, 2007
  My compliments to a very nice website. I found lots of intresting things here. p.s. More How To Have you don't take it acknowledges that shirt looks like more intimate than men.

• Anonymous
  April 27, 2007
  My compliments to a very nice website. I found lots of intresting things here. p.s. They are going to overcome a main dish served in the hits are you circle the act itself.

• Anonymous
  May 02, 2007
     -? ,        :

1.      .       ,     .
2.    .     -     .
3.    .      (, , , ). : http://www.akwadrat.ru/ E-mail: Ra_Design@List.ru   ,   .

• Anonymous
  May 03, 2007
  I found lots of intresting things here. Please more updates.

• Anonymous
  May 04, 2007
  I found lots of intresting things here. Please more updates.

• Anonymous
  May 04, 2007
  Good Work dude! I will visit your website again.

• Anonymous
  May 06, 2007
  Frankly, the way things are right now, I'm not sure I'd want to play myself in my very own movie of the week.

• Anonymous
  May 06, 2007
  Looks great! I found lots of intresting things here. Please more updates.

• Anonymous
  May 06, 2007
  Ja Krevetko! http://buncootcprilosec.iwannaforum.com/ <a href='http://buncootcprilosec.iwannaforum.com/'> bunco otc prilosec </a>

• Anonymous
  May 06, 2007
  I found lots of intresting things here. Please more updates.

• Anonymous
  May 07, 2007
  Ja Krevetko! http://buncootcprilosec.iwannaforum.com/ <a href='http://buncootcprilosec.iwannaforum.com/'> bunco otc prilosec </a>

• Anonymous
  May 07, 2007
  This is really fresh idea of the design of the site! I seldom met such in Internet. Good Work dude!

• Anonymous
  May 12, 2007
  Hi Lucy! Photos i received, thanks!!!

• Anonymous
  May 13, 2007
  Great site and excellent resource you have. I think it's very cool. I will visit your website again. Thank you!

• Anonymous
  May 13, 2007
  Very good website you have here, After the visit I put my step in to your guestbook.

• Anonymous
  May 15, 2007
  Great site and excellent resource you have. I think it's very cool. I will visit your website again. Thank you! http://valium1.blogcu.com/ Buy Valium

• Anonymous
  May 15, 2007
  http://matress.iespana.es/foam-mattress-pads.html http://matress.iespana.es/tempurpedic-mattress-pad.html http://matress.iespana.es/eclipse-le-grand-mattress.html

• Anonymous
  May 15, 2007
  Nice design. Please add more smiles to your guestbook :)  Please more updates. http://valium1.blogcu.com/ Buy Valium

• Anonymous
  May 16, 2007
  I found lots of intresting things here. Please more updates. http://valium1.blogcu.com/ Buy Valium

• Anonymous
  May 16, 2007
  If you listen to the Matrix soundtrack on your Ipod, or perhaps a fun song, your life automatically becomes a movie. http://valium1.blogcu.com/ Buy Valium

• Anonymous
  May 18, 2007
  This is really fresh idea of the design of the site! I seldom met such in Internet. Good Work dude!

• Anonymous
  May 18, 2007
  Nice site. Very useful contents. I've been looking for information for a long time, and I've found it exactly here. Thank you

• Anonymous
  May 18, 2007
  I have already enjoy your website, and it is so nice and cool. I will visit your website again. Thank you

• Anonymous
  May 20, 2007
  What a good site! I think it wasnt easy to post here so much information. Thank you, I will add it to my bookmarks

• Anonymous
  May 20, 2007
  Good Work dude! I will visit your website again.

• Anonymous
  May 21, 2007
  Dear Friend! Halo! <a herf=http://nail-designtv-show.cammoza.info>nail-designtv-show.cammoza.info&#36948;</a> [url=http://shirt-design.cammoza.info/]shirt-design[/url] <a herf=http://cammoza.info>cammoza.info&#36948;</a> My Regards!

• Anonymous
  May 23, 2007
  Looks great! I found lots of intresting things here. Please more updates.

• Anonymous
  May 23, 2007
  Very good website you have here, After the visit I put my step in to your guestbook.

• Anonymous
  May 27, 2007
  What a good site! I think it wasnt easy to post here so much information. Thank you, I will add it to my bookmarks

• Anonymous
  May 27, 2007
  Looks great! I found lots of intresting things here. Many thanks.

• Anonymous
  May 28, 2007
  Hey! This is really your Work?! Cool! I never earlier did not see sites like this! Tnx!

• Anonymous
  May 28, 2007
  This is really fresh idea of the design of the site! I seldom met such in Internet. Good Work dude!

• Anonymous
  May 28, 2007
  Your site is very very cool !! I love it :) Respect !

• Anonymous
  May 29, 2007
  <a href= http://xigozy.angelfire.com >a business decision</a> <a href= http://fatoso.angelfire.com >a 5 drop forwards</a> <a href= http://pohofu.angelfire.com >aaway messages</a> <a href= http://gukogi.angelfire.com >a change of pace lyric loose lip sink ship</a> <a href= http://wedovu.angelfire.com >a way to carry on again</a>

• Anonymous
  June 01, 2007
  Very good website you have here, After the visit I put my step in to your guestbook.

• Anonymous
  June 01, 2007
  Looks great! I found lots of intresting things here. Please more updates.

• Anonymous
  June 01, 2007
  Site - very comprehensive and meticulous from all sides, its good! Just excellent website, I sure! http://caverta1.blogcu.com/3011326/ Buy Caverta Online

• Anonymous
  June 02, 2007
  Hi Webmaster! It was a pleasure to look through this site! there is a lot of new and fresh ideas)!Thank You

• Anonymous
  June 04, 2007
  Hi Webmaster! It was a pleasure to look through this site! there is a lot of new and fresh ideas)!Thank You

• Anonymous
  June 04, 2007
  "It's not because of fate, it's because of Tequila"  That may be the best thing I have ever read in my whole life!

• Anonymous
  June 04, 2007
  Frankly, the way things are right now, I'm not sure I'd want to play myself in my very own movie of the week.

• Anonymous
  June 04, 2007
  Site - very comprehensive and meticulous from all sides, its good! Just excellent website, I sure!

• Anonymous
  June 06, 2007
  Looks great! I found lots of intresting things here. Please more updates.

• Anonymous
  June 09, 2007
  nice site! http://idisk.mac.com/dtd4/Public/ http://pumacartshoes.iespana.es

• Anonymous
  June 09, 2007
  Hi Guys! What Your Blog Powered By?  Keep up the great work!