Monday, June 11, 2012

SharePoint Web Services Exposed to Anonymous Access Users

Accidentally found my SharePoint Test environment's web services URLs are exposed in Google as anonymous access!

sharepoint web services anonymous access
 and I was able to access the web services anonymously!
sharepoint web services anonymous

Even though SharePoint web services exposed by anonymous access, SharePoint will not allow anyone to do beyond their access rights. Say for e.g. In order to call Add List Item method via web service, End user must have contributor permission at least.

But the problem is, It disposes lot of content via web services E.g. SiteData.asmx which exposes every page of our SharePoint site. We don't want to expose data to anyone, We don't want anonymous people to access our web-services, isn't it?

What is the Fix for SharePoint 2007 web services anonymous access?
Most of the Web services resides at "C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\ISAPI", which is mapped as a virtual folder "/_vti_bin".  So, Lets Instruct SharePoint to require authentication to /_vti_bin directory by editing the web.config file for the web application Under <configuration> Node:

sharepoint 2010 web service anonymous access
<!-- Disable anonymous access to _vti_bin -->
<location path="_vti_bin">
    <system.web>                  
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</location>

In the above web.config we've denied all the anonymous users and enabled only "_vti_bin/ReportServer/ReportServiceAuthentication.asmx" (Note: order is important!). Don't forget to do this change in All SharePoint servers! This will stop SharePoint web service anonymous access.

Output after the fix implemented:
sharepoint 2007 web services anonymous access

Technet Reference: http://technet.microsoft.com/en-us/library/ee191479%28v=office.12%29.aspx



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Document SharePoint Farm
Automatically generate SharePoint documentation.
*Sponsored


Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!

You might also like:

Related Posts Plugin for WordPress, Blogger...