Lockdown Mode in SharePoint 2010


I discovered what I thought was a strange issue with SharePoint 2010. The issue was that anonymous users were unable to post comments on a blog site. To be more specific, this blog site was part of a site collection that was provisioned as a Publishing Portal. Simply stated, the blog site is a sub-site under a publishing portal site. Comments on a blog site are stored as a list. List permissions can be modified “stopping inheritance” to allow anonymous users read/write access to a list. In theory, anonymous users should be able to read/write to a list. This is true except when the site collection is based on a publishing portal. In this specific scenario, anonymous users are prompted for credentials when attempting to post a comment within a blog site. Just like in Moss 2007, SharePoint 2010 has a feature called ViewFormPagesLockdown. This feature prevents anonymous users from gaining access to certain areas of a site. I’m not going to go any further in detail because it’s documented very well by our ECM team here:

http://blogs.msdn.com/ecm/archive/2007/05/12/anonymous-users-forms-pages-and-the-lockdown-feature.aspx

This feature still exists in SharePoint 2010 and is still automatically turned on for Publishing Portal sites. This feature is referred to as lockdown mode and can be turned on or off by enabling/disabling the ViewFormPagesLockdown feature. In this scenario, I want to toggle lockdown mode to off so anonymous users can post comments to the blog site. This is accomplished by using either STSADM or PowerShell. I prefer using PowerShell:

To determine if a site has ViewFormPagesLockdown enabled run the following:

get-spfeature -site http://sitecollectionURL

If ViewFormPagesLockDown is listed, it’s enabled.

To toggle lockdown mode to off:

$lockdown = get-spfeature viewformpageslockdown

disable-spfeature $lockdown -url http://sitecollectionURL

If anonymous is already setup, you may need to disable\re-enable anonymous on the site.


Comments (9)

  1. Sebastian says:

    I have a site collection that was provisioned as a Blog, and while the lock down feature is not enabled, I still cannot post anonymous comments.  Ideas?

  2. Russ Maxwell says:

    My guess is that you don't have anonymous permissions setup properly to the site…

  3. Sebastian says:

    Anonymous access is fully functional.  Our environment differs because instead of a Publishing Site site collection with a Blog sub-site, we just have a Blog site collection, no sub-sites.  

    If ran get-spfeature and "ViewFormPagesLockDown" is not even listed, which makes sense since it shouldn't be there.

    To resolve this, just go to the "Comments" list and…

    1. Click "Permissions for this list"

    2. Click "Stop Inheriting Permissions"

    3. Click "Anonymous Access"

    4. Select "Add Items  –  Add items to lists." and click OK

  4. Tom Resing says:

    Do you know if something similar is available for SharePoint Foundation? I receive an error when I try this on a Foundation Install.

    PS C:UsersTom Resing> $lockdown = get-spfeature viewformpageslockdown

    Get-SPFeature : Cannot find a Feature object with Path or Id: viewformpageslock

    down in scope Local farm.

    At line:1 char:26

    + $lockdown = get-spfeature <<<<  viewformpageslockdown

       + CategoryInfo          : InvalidData: (Microsoft.Share…mdletGetFeature:

      SPCmdletGetFeature) [Get-SPFeature], SPCmdletPipeBindException

       + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletGetFeatu

      re

  5. Marc Charmois says:

    Hi Tom,

    Yes, something similar is now available for wss 3.0 and SharePoint 2010 Foundation

    I had released a version of the lockdown feature for wss 3.0 and SharePoint Foundation that you can download on Codeplex.

    customlockdown.codeplex.com

    Hope that helps…

    Marc

  6. Willy says:

    I was led to this blog by Technet article "Best practices for publishing sites (SharePoint Server 2010)" (technet.microsoft.com/…/cc850698%28office.14%29.aspx).  So even after following the above instructions, triple checking settings in CA for the Web app and the site's permissions, toggling appropriate settings from enable to disable and vice versa, still no dice.  Is an iisreset or other command supposed to be executed after the above?  The ULS logs aren't of any help either.

  7. Hey guys, awesome find, note that this still applies in SharePoint 2013.

  8. Spex5 says:

    How can I disable this feature in SP 2013 Foundation?  It does not come up in get-spfeature.  I can't access it directly by name.

  9. Mat Safe says:

    I'm not how desirable disabling viewformstaelock is given that we have found, at the site level it allows access to all lists in a site, possibly some undesirable ones, does anyone know if this is the case? We are down the road of applying custom permissions to the annonymous user permMask for only the lists we need that functionality on. If anyone has a better suggestion?

Skip to main content