SharePoint Web Services Exposed to Anonymous Access Users

Accidentally found my SharePoint Test environment’s web services URLs are exposed in Google as anonymous access!

sharepoint web services anonymous access

and I was able to access the web services anonymously!

sharepoint web services anonymous

Even though SharePoint web services exposed by anonymous access, SharePoint will not allow anyone to do beyond their access rights. Say for e.g. In order to call Add List Item method via web service, End-user must have contributor permission at least.

But the problem is, It disposes lot of content via web services E.g. SiteData.asmx which exposes every page of our SharePoint site. We don’t want to expose data to anyone, We don’t want anonymous people to access our web-services, isn’t it?

What is the Fix for SharePoint web services anonymous access?

Most of the Web services reside at “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\ISAPI“, which is mapped as a virtual folder “/_vti_bin“.  So, Lets Instruct SharePoint to require authentication to /_vti_bin directory by editing the web.config file for the web application Under <configuration> Node:

<!-- Disable anonymous access to _vti_bin -->
<location path="_vti_bin">
            <deny users="?" />

In the above web.config we’ve denied all the anonymous users and enabled only “_vti_bin/ReportServer/ReportServiceAuthentication.asmx” (Note: order is important!). Don’t forget to do this change in All SharePoint servers! This will stop SharePoint web service anonymous access.

Output after the fix implemented:

sharepoint 2007 web services anonymous access

Technet Reference:

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

3 thoughts on “SharePoint Web Services Exposed to Anonymous Access Users

  • we implemented the same, however it is reflecting only for the root site.
    Sub sites _vti_bin is still accessible. please suggest

  • In fact, this works only on the root site, we can still access subsites anonymously.

  • Even after changing the web config, the list still can access anonymously. Could you please suggest?


Leave a Reply

Your email address will not be published. Required fields are marked *