Securing SharePoint for Internet sites
By Russ Basiura
June 12, 2012 —
(Page 1 of 2)
SharePoint 2010 has provided users with the ability to take their companies where very few had gone before them: the Internet. In the release, Microsoft addressed several limitations that made it challenging to leverage SharePoint for an Internet site, including changes to the licensing model that make it a more cost-effective and competitive solution.
Many standard security principles have always applied when deploying SharePoint to the Internet. Use a defense-in-depth strategy with multiple security zones to isolate networks and your farm; harden your servers (including SQL Server); apply the latest cumulative updates with all security patches; utilize SSL; and leverage an application layer firewall like Microsoft’s Unified Access Gateway. The SharePoint 2010 platform, including enhancements made in IIS and ASP.NET, have helped greatly to resolve other challenges existing around authentication and authorization.
Publishing sites will typically be used as Internet-facing sites and are commonly configured for anonymous access for the majority of the site. Opening a SharePoint site for anonymous users adds several challenges to secure your SharePoint Internet site.
One of those challenges is that, by default, all SharePoint sites have a permission level named "Limited Access," which is granted to all users who have access to a SharePoint site. The Limited Access permission level grants the "View Application Pages" right, which enables users to view all the SharePoint system pages for items, such as lists. This is not desirable for Internet sites because publishing sites are usually very structured and controlled. Content owners want to control what the users of a site can see.
To control this type of access, site administrators need to remove the "View Application Pages" right from the "Limited Access" permission level. Unfortunately, the "Limited Access" permission level is not editable through the browser interface. However, Microsoft has provided a feature named "Restrict Limited Access Permissions" (found in the path [...]\12\TEMPLATE\FEATURES\ViewFormPagesLockdown) that programmatically removes the "View Application Pages" right from the "Limited Access" permission level.
Anonymous access is the most common form of authentication for Internet sites. Sometimes, however, you may want to authenticate a user. In this case, you can use forms-based authentication.
Share this link:
Customizing SharePoint Online Using SharePoint Designer, Part 1
Once you get a handle on SharePoint Online, the question becomes: How can I modify it to suit my needs. First of two parts.
NewsGator announces Social Sites 3.0 and SharePoint 2013 Compatibility
Lookout interface provides innovative way to tame, consume and interact with information deluge in social business networks
Planning your search strategy is more important than ever
Enabling everyone in your organization to find content within seconds creates big ROI potential.
This site's content Copyright © 1999 - 2013 by BZ Media LLC, All rights reserved.
Legal and Privacy
Phone: +1 (631) 421-4158 • E-mail: