I see London, I see France… (Properly Securing Your Public Sites Part 1)

Edit: Looks like Rich Finn was inspired to write the same post just a couple of days ago. He picked an even scarier search phrase that returned over 20k hits!

I see your site’s underpants!

Do you have a public facing SharePoint site that allows anonymous access? If you do, are you sure your anonymous users can’t step behind the curtains and browse your lists and libraries?

Just for fun, open your favorite search engine and search for "Items in this list contain HTML or text content which can be inserted into web pages".

Here is a screenshot of the results using Live search.

This screen shot proves two things.

  1. There are a lot of sites out there using the MOSS publishing infrastructure.
  2. The people who built the sites didn’t configure them properly.

(Fortunately I know it wasn’t any of us, right?) J

If your site is a collaboration site, you might not care if people can see the list form pages. In fact, you can see my form pages and I am happy because they show information that I want my visitors to see. On the other hand, if you have a publishing site that contains extensive and expensive branding, you probably don’t want your users to see the supporting list forms and you almost certainly don’t want the list forms showing up in people’s search results!

I am not sure why there are so many sites out there that have this specific problem. I know that sites based on the Minimal Publishing site definition exhibit the problem, but I can see that many of these sites are based on something else because they include the files deployed by the PublishingLayouts feature and this feature is not part of the minimal publishing site definition.

To fix this problem, all you have to do is activate a feature named ViewFormPagesLockDown. If your site is based on the built-in Publishing Portal or Collaboration Portal site definitions, it should already be active. If not, you’ll need to use the command line to activate ViewFormPagesLockDown.

Do so as follows:

stsadm –o activatefeature –name ViewFormPagesLockDown –url http://YourSiteHere.

This requires you to have MOSS because ViewFormPagesLockDown does not ship with WSS. However, you can easily write code to accomplish the same thing on any version of SharePoint based on WSS 3.0.

SPRoleDefinition roleDefinition = site.RootWeb.RoleDefinitions.GetByType(SPRoleType.Guest);
roleDefinition.BasePermissions &= ~(SPBasePermissions.EmptyMask | SPBasePermissions.ViewFormPages);
roleDefinition.BasePermissions &= ~SPBasePermissions.UseRemoteAPIs;