Securing SharePoint and related infrastructure becomes very important for External/Internet websites running on SharePoint 2007 and available to anonymous users. Detailed security guidance for such a scenario is available in the Technet article - Plan security for an external anonymous access environment (Office SharePoint Server).
Lockdown Mode
One of the steps mentioned in the above article is to enable the “Lockdown” mode. Lockdown mode is a feature that you can use to secure published sites. By enabling lockdown mode on a site, you can restrict the permissions for anonymous users.
Permission
Limited access — default
Limited access — lockdown mode
List permissions: View Application Pages
Y
Site permissions: Browse User Information
Site permissions: Use Remote Interfaces
Site permissions: Use Client Integration Features
Site permissions: Open
When lockdown mode is turned on, fine-grain permissions for the limited access permission level are reduced. It is applied to sites under the following circumstances:
For more information about lockdown mode in SharePoint 2007, see the "Use lockdown mode" section in article linked above.
What else needs to be done?
Even when lockdown mode is enabled, anonymous users can still access certain SharePoint Server application URLs, such as pages in the _layouts directory and Web services that are exposed in the _vti_bin directory. So, to increase security, you should enable lockdown mode and also modify the Web.config file.
The article - Locking down Office SharePoint Server sites describes how to modify the Web.config file to restrict access to these additional resources. Sample XML from the article, showing what XML statements to add to the Web.config file are pasted below:
<?xml version="1.0" encoding="utf-8" ?>
<actions>
<add path="configuration">
<location path="_layouts">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="_vti_bin">
<location path="_layouts/login.aspx">
<allow users="?" />
<location path="_layouts/error.aspx">
<location path="_layouts/accessdenied.aspx">
</add>
</actions>
Based on your specific requirements of giving anonymous users access to specified pages in the _layouts directory and/or services in the _vti_bin directory, you can modify the XML accordingly and follow deployment process given in How To: Add Custom Configuration Settings to Extend a Web Application article.
Is this possible with 2010 also?
how abouyt sharepoin 2010 ? Could it work it there?
IB, Michael, Yes this works for 2010 also. If not enabled, then lockdown feature (ViewFormPagesLockDown) normally enabled by default for Publishing sites and make the required changes to the web.config as described above.
Stsadm.exe command line gives an error message as below:
Failed to find the XML file at location '12\Template\Features\ViewFormPagesLockD
ownfeature.xml'
any idea how can turn on lock mode?