Securing SharePoint for internet facing sites

First Read this blog post: http://blogs.msdn.com/ecm/archive/2007/05/12/anonymous-users-forms-pages-and-the-lockdown-feature.aspx

and this technet article http://technet2.microsoft.com/Office/en-us/library/f507f5d6-4c9d-4f98-909f-069c53b9a3f61033.mspx?mfr=true

Then I will tell you what worked for us on this WSS site:

First off securing the allitems.aspx and other forms can't be done with the ViewFormPagesLockdown feature mentioned in the above article as this is a WSS site. We tried to use the location setting in the web.config to restrict these but no luck there unfortunately. That leave use with having to write a custom httphandler which is a post for another day. What we did do for the allitems.aspx is negate its use by restricting the users can only see their own posts in postable lists. We also created a more restrictive permissions role to block some of the download features of document libraries - see earlier post on this.

Our configuration for this site is that of 2 application zones, one is AD authenticated and the other is forms based. SInce the forms based one is really the internet facing one we need to restrict access to more information. Basically most everything under _layouts should be blocked. So for this web application we simple edited the web.conf and added the following entries:

  <location path="_layouts/images">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="_layouts/1033">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="_layouts/groupeditempicker.js">
    <system.web>
      <authorization>
        <allow users="*" />
       </authorization>
    </system.web>
  </location>
  <location path="_layouts/accessdenied.aspx">
    <system.web>
      <authorization>
        <allow users="*" />
       </authorization>
    </system.web>
  </location>
  <location path="_layouts">
    <system.web>
      <authorization>
        <allow users="notorioustech" />
        <deny users="?,*" />
       </authorization>
    </system.web>
  </location>

Note: the _layouts allow entres are required (fill in the appriate locale for wherever you are) so that pages still display correctly.

Since we have the portal accessable by an AD zone we can still use the _layouts forms from there.

FOLLOWUP: Don't forget to secure you _vti_bin directory.  The web services interface to sharepoint is a big backdoor.

  <location path="_vti_bin">
    <system.web>
      <authorization>
        <allow users="notorioustech" />
        <deny users="?,*" />
       </authorization>
    </system.web>
  </location>

Del.icio.us | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks
Published Wednesday, July 25, 2007 5:01 PM by notorioustech
Filed under: , , , ,

Comments

# re: Securing SharePoint for internet facing sites

Keeping your SharePoint site as secured as possible is very important. Another good piece of advice is to make sure that all permissions through SharePoint site were assigned properly and there are not any security holes. I would take a look at <a href="dl.scriptlogic.com/.../Security-Explorer-for-SharePoint.aspx">security explorer for SharePoint</a> that can simplify all this. Hope it helps.

Monday, August 20, 2007 11:14 AM by Calvin Rees

# re: Securing SharePoint for internet facing sites

thanks for the helpful article! One thing that I had not seen before, though, is the usage of

<deny users="?,*" />

I tried this for my layouts and it seemed to behave like just using

<deny users="*" />

thus denying all users except site admin. Can you epxand on this a bit? Many thanks in advance!

Friday, March 13, 2009 4:00 PM by jackiinthegreen