In this article I am explaining about securing anonymous access in SharePoint 2010 sites. This is a pain for most of organizations when dealing with public facing anonymous access sites. In this article I also cover how to secure _layout folders.
If you're developing an anonymously accessible SharePoint website, especially an internet-facing one, you may have noticed that you're SharePoint Forms pages are also accessible to anonymous users. For example http://SERVER/_layouts/viewlsts.aspx, _vti_bin web services etc. Typically we don't want this, so how do you prevent anonymous users from accessing these pages? The following steps will help you to do it. This feature is known as lock down feature which is by default enabled for publishing sites.
To enable this feature
- First remove all anonymous access from the site.
- Then open command prompt and go to the folder C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN
- First check whether the feature is activated or not; you can use the command below to check it
- get-spfeature -site http://url
- If ViewFormPagesLockDown is listed, it's enabled.
- If not listed you have to enable it with the command below
To activate the Activate Feature:
- stsadm -o activatefeature -url -filename ViewFormPagesLockDown\feature.xml
De-Activate Feature:
- stsadm -o deactivatefeature -url -filename ViewFormPagesLockDown\feature.xml
Even when lockdown mode is enabled, anonymous users can still access certain SharePoint Server application URLs, such as pages in the _layouts directory and Web services that are exposed in the _vti_bin directory. So, to increase security, you should enable lockdown mode and also modify the Web.config file with the following XML element:
<add path="configuration">
<location path="_layouts">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="_vti_bin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="_layouts/login.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="_layouts/error.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="_layouts/accessdenied.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>