Anonymous Users, Forms Pages, and the Lockdown Feature

  • Article

If you're running an anonymously accessible MOSS website, especially an internet-facing one, you may have noticed that your SharePoint Forms pages are also accessible to anonymous users. For example, if you're using the publishing features, anonymous users might be able to get to https://SERVER/Pages/Forms/AllItems.aspx. Typically you don't want this, so how do you prevent anonymous users from accessing these pages?

In order to help with this, we provide a Feature out of the box called the ViewFormsPagesLockdown Feature, which we usually just call the Lockdown feature for simplicity. If you're experiencing this problem and want to lock anonymous users out of your Forms pages, then you can execute the following stsadm command on your farm:

 stsadm.exe –o activatefeature –url <site collection url> -filename ViewFormPagesLockdown\feature.xml

This will enable the lockdown feature on your site collection. If you already had anonymous access enabled, you'll need to go disable it, then enable it again. Go to the _layouts/setanon.aspx page, switch anonymous access off, click OK, then go back and set it to on, click OK. You should now get an authentication prompt when you try to navigate to a forms page. For example, try https://www.tylerbutler.com/Pages/Forms/AllItems.aspx.

If you just wanted the solution, you can stop reading. If you want to know what this feature does and why you may or may not be having this problem, read on. :-)

In SharePoint, anonymous users' rights are determined by the Limited Access permission level. Limited Access is a special permission level that cannot be assigned to a user or group directly. The reason it exists is because if you have a library or subsite that has broken permissions inheritance, and you give a user/group access to only that library/subsite, in order to view its contents, the user/group must have some access to the root web. Otherwise the user/group will be unable to browse the library/subsite, even though they have rights there, because there are things in the root web that are needed to render the site or library. Therefore, when you give a group permissions only to a subsite or library that is breaking permissions inheritance, SharePoint will automatically give Limited Access to that group or user on the root web.

This explains why you might see users and groups having Limited Access applied to them even though you never did it explicitly. But what about anonymous users? Where do they fit in? As I said above, anonymous users' rights are defined by the Limited Access permission level. If you want to see what rights Limited Access is composed of in your site, go to https://SERVER/_layouts/role.aspx and click on Limited Access.

Because there's no way to change this permission level through the UI, and because anonymous users' rights are defined by this permission level, we create the Lockdown feature to toggle on and off a couple of rights. Specifically, the Lockdown feature removes the View Application Pages permission, and the Use Remote Interfaces permission. The View Application Pages is the one that allows our anonymous users to access the Forms pages. After enabling the lockdown feature, they no longer have that right.

So why are some people having the problem where the lockdown feature isn't enabled? It all depends on what site template you used when you created your site. By default, the Lockdown feature is enabled on the Publishing Portal template, so if you started with that template, then you shouldn't have this problem. Otherwise, enable the feature and you're good to go.

For more info on security for external sites, see Plan security for an external anonymous access environment on TechNet.

Tyler Butler
Program Manager, Web Content Management