ViewFormPagesLockDown - Restrict Permission to Application Pages in SharePoint

ViewFormPagesLockDown is a SharePoint Feature (not in WSS) that helps us in:

Allows anonymous users to only view the Publishing pages, not any of the form or view pages (DispForm.aspx, AllItems.aspx)
Disallows anonymous access to pages in the _layouts directory that inherit from LayoutsPageBase.

By default all publishing sites have the feature called ‘ViewFormPagesLockdown’ activated, but not on the Collaboration Portal site or Team sites's definition. Without this Feature active on anonymous public sites, any users - including search engines like Google will be able to view (and crawl) SharePoint out-of-box pages which are tied to lists and webs that allow viewing by anonymous users.

Yes, These users might not have the ability to do anything, but you may not want anonymous users to view the form pages.

If you want to place your custom application pages inside the _layouts directory, which anonymous users must hit, there's the UnsecuredLayoutsPageBase class you can use as the base class of your page, and there's always just the Page class as in a standard ASP.Net application page.

To Activate the Feature :
stsadm -o activatefeature -url -filename ViewFormPagesLockDown\feature.xml

If you still get the Form pages visible for the end users, Try: With the ViewFormPagesLockDown feature Enabled, disable Anonymous Access in the site, then re-enable it.
MSDN Link: http://technet.microsoft.com/en-us/library/cc263468(office.12).aspx

3 comments:

AnonymousAugust 13, 2012 at 7:01 PM
Nice, thanks for information.
Sad but MS is still pushing us to use stsadm instead of PowerShell in many situations.
Prasath CFebruary 28, 2014 at 3:51 PM
But, how do you do this for a user with Full control?
AnonymousJanuary 13, 2017 at 11:53 PM
I don't see that in my SP2013 Team Foundation. Is that feature only available in Enterprise?