Locking down Office SharePoint Server sites

  • Article

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2016-11-14

By enabling lockdown mode on a Microsoft Office SharePoint Server 2007 site, you can restrict the permissions for anonymous users. For more information about lockdown mode in Office SharePoint Server 2007, see the "Use lockdown mode" section in Plan security for an external anonymous access environment (Office SharePoint Server).

However, even when lockdown mode is enabled, anonymous users can still access certain Office SharePoint Server application URLs, such as pages in the _layouts directory and Web services that are exposed in the _vti_bin directory. This topic describes how to modify the Web.config file to restrict access to these additional resources.

Note

To increase security on your Office SharePoint Server site, you should enable lockdown mode and modify the Web.config file, as described in this topic.

Allowing and denying access by using the Web.config file

You can both allow and deny access to Web resources by adding location elements to the Web.config file. For example, you could add a location element to deny anonymous users access to the _layouts directory, and then add a second location element to explicitly allow anonymous users access to the _layouts/login.aspx page. The second location element overrides the first location element, and creates an exception to the deny access for the login page.

For more information about the location element, see the "Use lockdown mode" section of Plan security for an external anonymous access environment (Office SharePoint Server).

Note

Editing the Web.config file directly is not recommended. If you modify the Web.config file directly, it is possible that the modifications will be overwritten when you upgrade your Office SharePoint Server installation, or that the modified Web.config file might not be copied to all front end Web servers in the farm. Instead, you should create a special XML file and save it in the \Config directory. During an upgrade, both Windows SharePoint Services 3.0 and Office SharePoint Server 2007 look for files in this directory and apply the changes that are specified in the files to the Web.config file, thus persisting any changes you make. For more information about persisting customizations to the Web.config file in Windows SharePoint Services 3.0 and Office SharePoint Server 2007, see How To: Add Custom Configuration Settings to Extend a Web Application (https://go.microsoft.com/fwlink/?LinkId=157096).

Which pages should anonymous users have access to?

To allow anonymous users to authenticate themselves with the server, you should ensure that they have access to the following pages:

  • _layouts/login.aspx

  • _layouts/accessdenied.aspx

  • _layouts/error.aspx

If you deny anonymous users access to any of these pages, Office SharePoint Server will not function properly.

If you have deployed custom solutions that require anonymous users to access additional pages in the _layouts directory or additional services in the _vti_bin directory, explicitly allow anonymous access to those resources as well.

Examples

The first two examples in this section illustrate possible strategies for restricting anonymous access. For ease of reading, both examples present the XML that would appear in the Web.config file. The third example illustrates the proper way to add XML elements to the Web.config file in Windows SharePoint Services and Office SharePoint Server.

Important

Do not add the XML statements from either of the first two examples directly to the Web.config file. Instead, create a file similar to the third example and save it in the \Config directory, as explained in How To: Add Custom Configuration Settings to Extend a Web Application (https://go.microsoft.com/fwlink/?LinkId=157096).

Example 1: Deny access to everything; selectively allow access to specific resources

The following XML fragment first denies anonymous users access to all pages in the _layouts and _vti_bin directories, and then allows anonymous users access to four specific pages in the _layouts directory. The question mark (?) represents anonymous users. These restrictions do not apply to authenticated users.

<configuration>

  <location path="_layouts">
    <system.web>                  
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>

  <location path="_vti_bin">
    <system.web>                  
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>

  <location path="_layouts/login.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>

  <location path="_layouts/error.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>
 
  <location path="_layouts/accessdenied.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>


</configuration>

Example 2: Deny access to specific resources

The following XML fragment denies anonymous users access to _layouts/error.aspx and _layouts/SearchResults.aspx. Access to other pages in the _layouts directory is governed by the site’s lockdown mode status. The question mark (?) represents anonymous users. These restrictions do not apply to authenticated users.

<configuration>

  <location path="_layouts/error.aspx">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>

  <location path="_layouts/SearchResults.aspx">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>

<configuration>

The following XML statements illustrate how to add the XML statements from example 1 to the Web.config file in such a way that the additions will be preserved when Windows SharePoint Services or Office SharePoint Server is updated, as described in How To: Add Custom Configuration Settings to Extend a Web Application (https://go.microsoft.com/fwlink/?LinkId=157096).

<?xml version="1.0" encoding="utf-8" ?>
<actions>

  <add path="configuration">
  <location path="_layouts">
    <system.web>                  
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>

  <location path="_vti_bin">
    <system.web>                  
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>

  <location path="_layouts/login.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>

  <location path="_layouts/error.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>

  <location path="_layouts/accessdenied.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>


  </add>
</actions>

After creating a file that contains XML statements similar to those in example 3, you would save the file in the \Config directory with a name in the format webconfig. <name>.xml. To apply these changes to the farm, run the Stsadm copyappobincontent operation on each front-end Web server. For more information, see Copyappbincontent: Stsadm operation (Office SharePoint Server).

See Also

Concepts

Plan security for an external anonymous access environment (Office SharePoint Server)