Accidentally found my SharePoint Test environment’s web services URLs are exposed in Google as anonymous access!
and I was able to access the web services anonymously!
Even though SharePoint web services exposed by anonymous access, SharePoint will not allow anyone to do beyond their access rights. Say for e.g. In order to call Add List Item method via web service, End-user must have contributor permission at least.
But the problem is, It disposes lot of content via web services E.g. SiteData.asmx which exposes every page of our SharePoint site. We don’t want to expose data to anyone, We don’t want anonymous people to access our web-services, isn’t it?
What is the Fix for SharePoint web services anonymous access?
Most of the Web services reside at “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\ISAPI“, which is mapped as a virtual folder “/_vti_bin“. So, Lets Instruct SharePoint to require authentication to /_vti_bin directory by editing the web.config file for the web application Under <configuration> Node:
<!-- Disable anonymous access to _vti_bin --> <location path="_vti_bin"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location>
In the above web.config we’ve denied all the anonymous users and enabled only “_vti_bin/ReportServer/ReportServiceAuthentication.asmx” (Note: order is important!). Don’t forget to do this change in All SharePoint servers! This will stop SharePoint web service anonymous access.
Output after the fix implemented:
Technet Reference: https://technet.microsoft.com/en-us/library/ee191479%28v=office.12%29.aspx