Thursday, March 15, 2012

Restrict access for anonymous users


If you are building a SharePoint website on the internet, you might be having the following architecture. 

You will probably have created a web application and configured it to run on Windows Authentication.Then you can extend the same web application from the Central Administration and the extended web application can run on Forms authentication over the internet.
Extending a web application will create a new site in the IIS by SharePoint and this site and the site created to run with Windows Authentication will be sharing the same content database.
For most content based web sites over the internet, Anonymous Authentication may be configured for the site.
But configuring anonymous access creates one significant problem in case of SharePoint sites. The areas of the site sometimes get exposed over the internet which you might want to keep under wraps.
There could be other scenarios where you might want your registered users to have more rights than Restricted Read. But at the same time you want to maintain a tight leash so that your website is less vulnerable even from users who have registered and logged in as they are external users and may not be a part of your organization. If they have malicious intentions, I guess it will be better to be prepared than to be sorry later.
Mostly you would like to restrict the following pages completely from external users who are access the site over the internet:
View All Items Page : /_layouts/viewlsts.aspx
The different views in lists and libraries : <Document Library Name>/Forms/Allitems.aspx etc.
There could be a host of other pages as well. But it will be crucial for the content managers/information workers to access this page from the intranet zone of the website.
The good news is there is a very simple way to solve this problem. One thing to keep in mind is all SharePoint sites are in reality ASP .Net sites. Hence you can modify the web.config file to do your bidding. In this case, what you can do is modify the web.config file for the extended web application running on the forms authentication or anonymous authentication on the internet. Modify the following section on the web.config file:

<!--Added for Access Control-->
    <location path="_layouts/mobile/mbllogin.aspx">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>
    <location path="Pages/Forms">
        <system.web>
            <authorization>
                <deny users="?" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
    <location path="Css/Forms">
        <system.web>
            <authorization>
                <deny users="?" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
    <location path="PublishingImages/Forms">
        <system.web>
            <authorization>
                <deny users="?" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
    <location path="Documents/Forms">
        <system.web>
            <authorization>
                <deny users="?" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
    <location path="Lists">
        <system.web>
            <authorization>
                <deny users="?" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
    <location path="_layouts/1033">
        <system.web>
            <authorization>
                <allow users="?" />
                <allow users="*" />
            </authorization>
        </system.web>
    </location>
    <location path="_layouts/<your custom directory>">
        <system.web>
            <authorization>
                <allow users="?" />
                <allow users="*" />
            </authorization>
        </system.web>
    </location>   
    <location path="_layouts/images">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>
    <location path="_layouts">
        <system.web>
            <authorization>
                <deny users="?" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
    <!--End for Access Control-->

 The good thing is you can do a lot of mix and match and allow access to certain areas for anonymous users and even registered users logging in and then completely restricting access to other areas. As you can see above this particular setting provides access to:
1. All files and folders under Pages library, style sheets library, images library, but denies access to the Forms folders hence the user cannot actually open various views in the document library and fiddle around.
2.You restrict access to all assets under _layouts directory, but open images under _layouts so that logos, banners icons etc. can be displayed. Similarly you can open 1033 directory and any custom directory that you might have deployed which can contain JavaScript files, resources etc.


2 comments:

Anonymous said...

Hi,
I have implemented the same. But even the readers are able to view the Forms/AllItems.aspx and all documents page.

I did IISRESET too. But it didn't helped. What would be the reason?

Balmiki said...

Can you try putting "Pages/Forms/AllItems.aspx" instead of "Forms/AllItems.aspx".
Because

<authorization>
<deny users="?" />
<deny users="*" />
</authorization>

Will definitely block all users, logged in or otherwise.
I suspect that the path which you want to selectively restrict is not constructed properly.