On internet facing anonymous sites you may have noticed that your SharePoint Forms pages are also accessible to anonymous users. For example, if you’re using the publishing features, anonymous users might be able to get to
Which is a security concern and we really do not want. MOSS 2007 provides a feature called as “ViewFormPagesLockdown” which helps to lock down access to these pages for anonymous users
stsadm.exe –o activatefeature –url -filename ViewFormPagesLockdownfeature.xml
Running the above command will enable the lockdown for Form pages.
- If you already had anonymous access enabled, you’ll need to disable it, then enable it again.
- Go to the _layouts/setanon.aspx page, switch anonymous access off, click OK, then go back and set it to on, click OK.
- You should now get an authentication prompt when you try to navigate to a forms page.
However, even when lockdown mode is enabled, anonymous users can still access certain Office SharePoint Server application URLs, such as pages in the _layouts directory and Web services that are exposed in the _vti_bin directory. To lock down these pages as well you will need to make some changes to the web.config file of your SharePoint site as shown below
The following XML fragment first denies anonymous users access to all pages in the _layouts and _vti_bin directories, and then allows anonymous users access to three specific pages in the _layouts directory (these are required for SharePoint to function correctly). The question mark (?) represents anonymous users. These restrictions do not apply to authenticated users
To allow anonymous users to authenticate themselves with the server, you should ensure that they have access to the following pages:
If you deny anonymous users access to any of these pages, Office SharePoint Server will not function properly.