Share via


(B)Locking system pages on SharePoint sites

To prevent anonymous visitors from browsing system pages on a public-facing website, SharePoint offers the ViewFormPagesLockdown Feature. The hidden Feature, which is a part of the standard Publishing Site, upon activation, prevents anonymous visitors from accessing system pages. Whenever an anonymous user browses to a system page, he will be prompted to authenticate.

Authentication prompt displayed to an anonymous user on a public SharePoint site after browsing to a system page. On user experience perspective, prompting for credentials is not an expected behavior and any administrators would like to avoid this.

In addition to that, denying access to system pages would reduce the chance of the attackers from trying their chances. Though the ViewFormPagesLockdown Feature provides some prevention from form page access, its not complete. Hence there is some enhancement required to block them completely.

Having said that, one of the possible option is to use the IIS URL Rewrite module extension 2.0.

About IIS URL Rewrite 2.0:
IIS URL Rewrite 2.0 enables Web administrators to create powerful rules to implement URLs that are easier for users to remember and easier for search engines to find. By using rule templates, rewrite maps, .NET providers, and other functionality integrated into IIS Manager, Web administrators can easily set up rules to define URL rewriting behavior based on HTTP headers, HTTP response or request headers, IIS server variables, and even complex programmatic rules. In addition, Web administrators can perform redirects, send custom responses, or stop HTTP requests based on the logic expressed in the rewrite rules.

Solution:

IIS URL Rewrite 2.0 can be enabled to achieve the complete blocking of system pages.

Download and install the IIS URL Rewrite Module 2.0 from the location https://go.microsoft.com/?linkid=9722532 on all SharePoint web front ends.

Upon installation close and reopen the IIS console to see the URL Rewrite icon every web application.

Open the IIS web application on which you need to block the system pages. usually this is the public anonymous sites extended on internet zone.

Add the following rewrite block just before the </system.webServer> tag. This procedure needs to be performed on all web front end servers.

<rewrite>      <rules>                <clear />                <rule name="Allow _vti_bin Client.svc" enabled="true" patternSyntax="Wildcard" stopProcessing="true">                    <match url="*" />                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">                        <add input="{URL}" pattern="*/_vti_bin/client.svc*" />                    </conditions>                    <action type="None" />                </rule>                <rule name="Block Admin Pages" enabled="false" patternSyntax="Wildcard" stopProcessing="true">                    <match url="*" />                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">                        <add input="{URL}" pattern="*_layouts/*.aspx" />                        <add input="{URL}" pattern="*_vti_bin/*" />                    </conditions>                    <action type="Redirect" url="{C:1}" />                </rule>                <rule name="Block Form Pages" enabled="false" patternSyntax="Wildcard" stopProcessing="true">                    <match url="*" />                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">                        <add input="{URL}" pattern="*/forms/*" />                        <add input="{URL}" pattern="*/overview.aspx" />                        <add input="{URL}" pattern="*/summary.aspx" />                        <add input="{URL}" pattern="*/allitems.aspx" />                    </conditions>                    <action type="Redirect" url="https://{HTTP_HOST}" />                </rule>      </rules>    </rewrite>

 

Adding the above block to web.config will recycle the app pool automatically. As a validation step try to check the web application's configuration using the configuration editor on IIS.

Any error on UI would reveal that there is something messed up with the web.config updates.

Upon successful validations, try to access the system pages for example /_layouts/settings.aspx and ensure its getting redirected to home page.

Comments

  • Anonymous
    September 27, 2015
    Hi Thiru, Great post. one question is that how to allow system/layouts pages for administrators or some custom sharepoint groups? Any configuration needs to be done separately for that?

  • Anonymous
    September 27, 2015
    Usually we go for this option on non default zones (internet or extranet) or extended zones. hence you will apply this configuration on extended web applications. Also I would recommend you to apply this only on extended zones, leaving the default zone intact. so that you can access the site as admin through the default zone URL. The other possibilities could be to apply the configuration only on the WFEs. This would allow the admins to access the site from ADM servers with a host file entry. (if your ADM server is enabled with web application services)