Monday, 4 February 2008

Securing MOSS 2007 Publishing Sites with Lockdown Mode

You can use Microsoft Office SharePoint Server 2007 for different types of purposes. MOSS 2007 is replacing MCMS, so people are starting to build custom public anonymous websites with MOSS 2007, this involves creating a site using the Publishing Site Template.

MOSS 2007 can also be used for collaboration, so users may need to view the list Forms, AllItems.aspx, DispForms.aspx etc. for a list so they can navigate through data in the site.
BUT You don't want people access to those forms if you are using MOSS 2007 for a public publishing internet site, you only want users to access Publishing Pages not to view all site content or to view lists.
So there is a feature you need to enable to keep anonymous users out of Form pages in your site, you also may want to restrict anonymous people from using remote interfaces which this feature also provides.

The feature is called ViewFormPagesLockDown, the details about this feature can be found on TechNet :
http://technet2.microsoft.com/Office/en-us/library/f507f5d6-4c9d-4f98-909f-069c53b9a3f61033.mspx#section6 - Use Lockdown Mode
The above page is handy and has alot of planning info for providing external anonymous access in MOSS 2007.

To Activate the Feature :
stsadm -o activatefeature -url -filename ViewFormPagesLockDown\feature.xml

ONE IMPORTANT TIP :
I recently had this enabled on an anonymous site, but there was no effect, it was not working
It didn't seem to kick-in, I browsed the site anonymously and I could still get access to the Form pages, and view list data.
I didn't know what to do, finally the kind people at Microsoft suggested I try something to get it working.
What was the trick?
With the ViewFormPagesLockDown feature Enabled, I disabled Anonymous Access in the site, then re-enabled it.
After toggling anonymous access in the site, the feature started to work and anonymous users cannot access the Form pages anymore!

7 comments:

mswin said...

I would like to know Whether the lockdown feature is supported for the Search Center with tabs Template or not.
I have extranet facing site created with the Search Center with Tabs template and tried with the Lock down feature.

Is it mandatory to have Publishing Template to use Lock down feature.

Sezai said...

>> I would like to know Whether the lockdown feature is supported for the Search Center with tabs Template or not.

If it isn't, then you should be able to activate the feature on the site collection


>> Is it mandatory to have Publishing Template to use Lock down feature

No, you can manually deactivate the feature using STSADM. Although with a Publishing Template you usually want keep the users out of list forms, but you can have Lock down disabled if you want to give users access to list forms

csteacy said...

Hello, this is a great post. One question, when you said you toggled the AA access for the site...is that in your external site only or/and also the setting for AA in Central Administration. Please let me know. Thank you.

Sezai said...

>> ...is that in your external site only or/and also the setting for AA in Central Administration.


Only in the external site, not central admin. So enable Anonymous Access once for the web application in central admin, and then toggle the setting in the site to get lockdown mode to work.

Anonymous said...

How can I avoid the lock down feature on specific lists. Example I would like the calendar list to excluded - can this be done easily.
Thanks.

Jamil Haddadin said...

I love you!!!! the last tip is very helpful

Ade Fell said...

Is there a way to prevent the login box appearing when you try to browse those pages anonymously. I would prefer it that it says 404 error page not found or something.