Locking down _layouts/_vti_bin & built in SharePoint pages on Anonymous Internet facing sites

On internet facing anonymous sites you may have noticed that your SharePoint Forms pages are also accessible to anonymous users. For example, if you’re using the publishing features, anonymous users might be able to get to

http://{servername}/Pages/Forms/AllItems.aspx

Which is a security concern and we really do not want. MOSS 2007 provides a feature called as “ViewFormPagesLockdown” which helps to lock down access to these pages for anonymous users

stsadm.exe –o activatefeature –url -filename ViewFormPagesLockdownfeature.xml

Running the above command will enable the lockdown for Form pages.

Please Note:

  1. If you already had anonymous access enabled, you’ll need to disable it, then enable it again. 
  2. Go to the _layouts/setanon.aspx page, switch anonymous access off, click OK, then go back and set it to on, click OK. 
  3. You should now get an authentication prompt when you try to navigate to a forms page. 

However, even when lockdown mode is enabled, anonymous users can still access certain Office SharePoint Server application URLs, such as pages in the _layouts directory and Web services that are exposed in the _vti_bin directory. To lock down these pages as well you will need to make some changes to the web.config file of your SharePoint site as shown below

The following XML fragment first denies anonymous users access to all pages in the _layouts and _vti_bin directories, and then allows anonymous users access to three specific pages in the _layouts directory (these are required for SharePoint to function correctly). The question mark (?) represents anonymous users. These restrictions do not apply to authenticated users

  
    
      
        
     
   
 
  
    
      
        
     
   
 
  
    
      
        
     
   
 
  
    
      
        
     
   
 
  
    
      
        
     
   
 

To allow anonymous users to authenticate themselves with the server, you should ensure that they have access to the following pages:

  1. _layouts/login.aspx
  2. _layouts/accessdenied.aspx
  3. _layouts/error.aspx

If you deny anonymous users access to any of these pages, Office SharePoint Server will not function properly.

Related Post

4 thoughts on “Locking down _layouts/_vti_bin & built in SharePoint pages on Anonymous Internet facing sites”

  1. One question though:
    If you have search configured, which is crawling the attachments against any list item (say pdf's). On the search result page, user will find a link to dispform.aspx. Which is correct if it is an attachment, but incorrect when it is a list item. As it will show all the details about that item, which were supposed to be hidden from user other than administrator.

  2. Hi,

    Can we allow access to a specific service (_vti_bin/lists.asmx) in the similar you have provided access to some pages (login.aspx, error.aspx)?

    Thanks and Regards,
    K. Pradeep

Leave a Reply

Your email address will not be published. Required fields are marked *