SharePoint Web Services Exposed to Anonymous Access Users

Accidentally found my SharePoint Test environment’s web services URLs are exposed in Google as anonymous access!

sharepoint web services anonymous access

and I was able to access the web services anonymously!

sharepoint web services anonymous

Even though SharePoint web services exposed by anonymous access, SharePoint will not allow anyone to do beyond their access rights. Say for e.g. In order to call Add List Item method via web service, End-user must have contributor permission at least.

But the problem is, It disposes lot of content via web services E.g. SiteData.asmx which exposes every page of our SharePoint site. We don’t want to expose data to anyone, We don’t want anonymous people to access our web-services, isn’t it?

What is the Fix for SharePoint web services anonymous access?

Most of the Web services reside at “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\ISAPI“, which is mapped as a virtual folder “/_vti_bin“.  So, Lets Instruct SharePoint to require authentication to /_vti_bin directory by editing the web.config file for the web application Under <configuration> Node:

sharepoint web services
<!-- Disable anonymous access to _vti_bin -->
<location path="_vti_bin">
            <deny users="?" />

In the above web.config we’ve denied all the anonymous users and enabled only “_vti_bin/ReportServer/ReportServiceAuthentication.asmx” (Note: order is important!). Don’t forget to do this change in All SharePoint servers! This will stop SharePoint web service anonymous access.

Output after the fix implemented:

sharepoint 2007 web services anonymous access

Technet Reference:

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

Leave a Reply