Drawing the Curtain: Removing Access to the Site Settings Page for non-Administrative Users


 

NOTE:  In this article, I discuss making some changes to SharePoint which are unsupported by Microsoft.  As an employee within the Support realm, I want to stress that the CheckPermissions() solution below is currently unsupported by Microsoft — if you make the change, you are on your own.  🙂  That said, I have gone ahead and discussed some of the ramifications of making the change, because I think that the solution is a good one despite its being unsupported.  In short — you’ve been warned.


 


You might have noticed that authenticated users granted Reader access to a SharePoint site also have access to the Site Settings page:  _layouts/<LCID>/settings.aspx.  Although these users will typically have no rights to access any of the pages linked therein, it might be desirable to remove access to the settings.aspx page altogether, so that non-Administrative users don’t even have the option to see what can be done from an administrative perspective.  Honestly, I’m really not sure why this page is able to be viewed by non-Administrative users to begin with, but that’s irrelevant;  it is viewable, and I want to change that.


 


I have two options, one supported and one unsupported


 


1)  Somewhat complicated, but supported:  write a wildcard-mapped ISAPI extension


 


2)  Simple, but strictly not supported:  drop a CheckPermissions() call onto the settings.aspx page


 


I’ve covered both of these options in more detail below:


 


*****


 


ISAPI Extension


 


Although writing an ISAPI extension isn’t a particularly simple task, and requires knowledge of C++ programming, etc., it is a possible (and supported) solution.  Essentially, I would need to create an wildcard-mapped ISAPI extension that examined each request.  I would start by checking the requested URL by looking in the VTI_SCRIPT_NAME server variable.  If that request was for a _layouts page (settings.aspx in particular), my ISAPI extension could check the authentication type and/or authentication user from the server variables (AUTH_TYPE, and AUTH_USER). 


 


If, for example, the AUTH_USER server variable were blank, the ISAPI extension could redirect by posting a 302 Redirect to some other URL — including, for example, a custom error page somewhere.


 


The IIS SDK includes ISAPI extension samples, including a wildcard-mapped ISAPI extension sample.  Here’s a link to the Platform SDK Update site, where you can obtain any of the various platform SDK modules:


 


http://www.microsoft.com/msdownload/platformsdk/sdkupdate/


 


I would start with the WildcardMap sample provided in the SDK (…\Microsoft SDK\Samples\web\iis\ISAPI_6.0\WildCardMap).  This sample is specifically designed to capture *every* request.  To use this with IIS, I’ll need to register the built ISAPI extension within IIS. 


 


NOTE: With Windows Server 2003 and with SharePoint Portal Server (or Windows SharePoint Services), there are some additional steps required to get the ISAPI extension functioning, which I cover below.


 


Once built, I can simply open up the IIS management console, right-click the web site I want to register the ISAPI with to get the web site properties, and choose the “Home Directory” (or “Virtual Directory” if this is a virtual directory rather than a web site) tab. 


 


Click the “Configuration…” button to open the “Application Configuration” dialog.  Under the “Wildcard application maps” section, choose “Insert…” and enter the path to my built DLL (or choose “Browse…” to find it).  IMPORTANT:  to use an ISAPI extension with Sharepoint, I must UN-check the “Verify that file exists” checkbox.


 


Apply all of those changes to the web site or virtual directory.


 


Next, in IIS management console, I select “Web Server Extensions.”  This will bring up a list of the allowed and prohibited extensions.  I’ll need to click on “Add a new Web service extension…” give the Extension a name, provide a link to the built DLL, and set the status to “Allowed.”


 


At that point, my ISAPI extension should be ready to work.


 


CheckPermissions()


 


There *is* an alternative workaround, which — unfortunately — is not supported by Microsoft.  If I open one of the various administrative ASPX pages in Visual Studio.NET (or Notepad, for that matter) and view the code, I can see that there is an explicit check for role-based permissions.  For example, in User.ASPX, which is located at x:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\Template\Layouts\1033\user.aspx, the line of code which checks permissions looks like this:


 


=====


<% spWeb.Permissions.CheckPermissions(SPRights.ManageRoles); %>


=====


 


This line checks to see if the current user has the ManageRoles right.  If so, the user is allowed to view the page;  if not, the user is prompted for authentication.  In contrast, the Settings.aspx page — the first that a user sees after clicking on “Site Settings” in a WSS site — contains no such permissions check.


 


The SPRights enumeration is covered in the MSDN Library at the location below:


 


=====


SPRights Enumeration


=====


 


This enumeration contains various rights that can be assigned to a user.  For example, the ViewPages right allows a user to view pages within a WSS Site.  It would be possible — though, again, not supported — to add a line of code like the one above to the various administrative settings pages that you wanted to restrict to Administrative users only.  For instance, if I wanted to restrict access to the Settings.aspx page only to users who have the ManageWeb right, I could include the following line of code in settings.aspx (existing/surrounding code included for reference, new code in bold):


 


=====


SPWeb spWeb = SPControl.GetContextWeb(Context); %>


<% spWeb.Permissions.CheckPermissions(SPRights.ManageWeb); %>


<HEAD>


=====


 


With this code in place, when a user attempts to go to the settings.aspx page, Sharepoint will check to see if they have the ManageWeb right;  if so, they can view the page — if not, they’ll be denied access and prompted for credentials.


 


The big caveat, as I’ve mentioned, is that this solution is not supported by Microsoft.  We do not support making any direct modifications to the code used in any of the pages in the LAYOUTS directory.  What this means is that if you were to apply this change and later were to run into any problems on your server, Microsoft PSS would require that the change be rolled back before any assistance could be given.  Additionally, Microsoft has reserved the right to overwrite any of the default (out-of-the-box) files located in the LAYOUTS directory in any future service packs or updates.  Such an overwrite would wipe out changes, so I would need to be aware of the changes that I’ve made so that I could re-implement in such a case.


 


*****


 


There is one scenario in which this isn’t an issue:  Anonymous access over the internet.  If I have setup a SharePoint site to allow anonymous authentication, and a user browses to my site, they can view pages such as default.aspx just fine.  As soon as they attempt to view settings.aspx, though, they will be prompted.  Because the user is not on my domain, Windows Integrated authentication cannot negotiate authentication to settings.aspx, and the user will be prompted.

Comments (89)

  1. timh says:

    good ideas…

    one thing i did similar to the isapi might be an easier implementation accomplishing the same goal — i wrote an HttpHandler — basically the same thing, but the handler sniffed out the request for that specific path (and others, namely manage users) and did its voodo based on the person.

  2. Some comments about security feature missing in sharepoint.

  3. Bil Simser says:

    Ryan,
    <br>
    <br>While I understand the unsupported model when you start messing with the files in the LAYOUTS directory, I don’t see why this would be unsupported except for that fact. I mean, if all the other pages have the call to CheckPermissions was it just an oversight on the original creators part to not include it? Maybe it would be better to have it changed in a service pack so it would be supported? Unless there’s something on that page that a user without the Manage Web right would need?

  4. Chandy says:

    Good article.  Shame WSS is so crappy in the first place that this article needs to exist.  There should also be a way to remove the settings link entirely for non-administrators!

  5. Pol Pit says:

    I ‘m so [url=http://access.122mb.com]lucky[/url] on having what I have!

    Just visit [url=http://access.serverheaven.net]my site[/url]. Just see it! And good luck in yours [url=http://access.122mb.com]search[/url].

  6. Very interesting and good point about <a href="http://markdeniels.50megs.com/erectile-difficulty.html"”>http://markdeniels.50megs.com/erectile-difficulty.html" title="erectile difficulty">erectile difficulty</a> and [URL=http://markdeniels.50megs.com/erectile-difficulty.html]erectile difficulty[/URL]

  7. Lillian says:

    I really enjoyed this page. I will be linking and I will be trying to read and research all that there is to offer from this site! Would you please also visit my site?

    <a href=  ></a> [url=][/url]

  8. Hi, good morning to all of you… Nice Guestbook 😉 !! <a href= http://docs.google.com/View?docid=df2wwh2p_7c7mc89 >Debt Consolidation</a> [url=http://docs.google.com/View?docid=df2wwh2p_7c7mc89]Debt Consolidation[/url]  bye

  9. ... says:

    L’information interessante que vous avez! I’am allant revenir bientot.

  10. ... says:

    Great site! Good luck to it’s owner!

  11. ... says:

    pagine piuttosto informative, piacevoli =)

  12. Caverta says:

    I have already enjoy your website, and it is so nice and cool. I will visit your website again. Thank you. Please More updates

  13. Buy Premarin says:

    Looks great! I found lots of intresting things here. Many thanks. Nice site. Cheers!

  14. plavix says:

    Nice site! Cheak my site to! It is fresh idea i think 😉

    <a href= http://plavix.stormloader.com >plavix</a>

  15. Hey, guys! Great site. I bookmark this place and waiting for me tommorow! <a href="http://exercise.fitness-vip.info/exercise.html ">exercise</a> [url=http://exercise.fitness-vip.info/exercise.html ]exercise[/url] http://exercise.fitness-vip.info/exercise.html

  16. John says:

    Thank You for help.

    See you tomorow.

    <a href= http://www.charger-dodge.blog.com.es/ > charger dodge</a> | http://www.charger-dodge.blog.com.es/

  17. Ron says:

    Respect you!Added to favorites!!Nice site!

    This is my site:

    http://babyslinghammock.blogspot.com

  18. Peter says:

    Respect you!Added to favorites!!Nice site!

    buy Lamisil Oral

    http://wapurl.co.uk/?G2UJISD

  19. ljaruzvu says:

    Hello!

    Did u ever heard about CSS…? it will help your site.

    DS2_sp_1

  20. oghokyql says:

    Hello!

    Respect guys. Thanx for such interesting site.

    DS2_sp_2

  21. Celebrex says:

    Looks great! I found lots of intresting things here. Many thanks. Nice site. Cheers!

  22. Britneydpuve says:

    Very nice! I have some LJ with news, check this out:

    <a href= http://michelas.livejournal.com >My live journal</a>

    <a href= http://homerius.livejournal.com >Lastest news</a>

    <a href= http://johnyknoxw.livejournal.com >My live journal</a>

  23. Britneyrhpyn says:

    Very nice! I have some LJ with news, check this out:

    <a href= http://iwantubadlyz.livejournal.com >Newest news</a>

    <a href= http://annakubat.livejournal.com >Check this out</a>

    <a href= http://jackie_simpson.livejournal.com >livejournal</a>

  24. Bobi says:

    Added to favorites!!Respect you!

    This is my site:

    http://matress.iespana.es

    http://matress.iespana.es/cleaning-a-soiled-mattress.html

    http://matress.iespana.es/atlanta-cheap-mattress.html

  25. Wried says:

    Very nice! I have some sites with news, check this out:

    <a href= http://nuhost.info >Politics news</a>

    <a href= http://susearch.info >Lastest news</a>

    <a href= yanasearch.info >Lifestyle news</a>

  26. Vanessa says:

    Added to favorites!!Respect you!

    This is my site:

    http://matress.iespana.es

    http://matress.iespana.es/doctor-approved-chiropractic-mattress.html

  27. Hey, guys! Great site. I bookmark this place and waiting for me tommorow! <a href="http://users2.nofeehost.com/italian4/cibo-geneticamente-modificato.html ">cibo geneticamente modificato</a> [url=http://users2.nofeehost.com/italian4/cibo-geneticamente-modificato.html ]cibo geneticamente modificato[/url]

  28. Blow Job says:

    My compliments to a very nice website. I found lots of intresting things here. Many thanks. Good Work dude!

  29. Hey, guys! Great site. I bookmark this place and waiting for me tommorow! <a href="http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11 ">Good job! Very useful info!</a> [url=http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11 ]Good job! Very useful info![/url] http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11

  30. Good job! Very useful info! <a href="http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11 ">Hey, guys! Great site. I bookmark this place and waiting for me tommorow!</a> [url=http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11 ]Hey, guys! Great site. I bookmark this place and waiting for me tommorow![/url] http://archjava.fluid.cs.cmu.edu/bugzilla/attachment.cgi?id=11

  31. Hi i’m drocher.

    Good day,Hi i’m drocher.

    Good day

  32. My compliments to a very nice website. I found lots of intresting things here. p.s. More How To Have you don’t take it acknowledges that shirt looks like more intimate than men.

  33. My compliments to a very nice website. I found lots of intresting things here. p.s. They are going to overcome a main dish served in the hits are you circle the act itself.

  34. Arwadrat says:

       -?

    ,        :

    1.      .       ,     .

    2.    .     –     .

    3.    .      (, , , ).

    :

    http://www.akwadrat.ru/

    E-mail: Ra_Design@List.ru

      ,   .

  35. I found lots of intresting things here. Please more updates.

  36. I found lots of intresting things here. Please more updates.

  37. Good Work dude! I will visit your website again.

  38. Frankly, the way things are right now, I’m not sure I’d want to play myself in my very own movie of the week.

  39. Looks great! I found lots of intresting things here. Please more updates.

  40. Buy Celebrex says:

    I found lots of intresting things here. Please more updates.

  41. This is really fresh idea of the design of the site! I seldom met such in Internet. Good Work dude!

  42. Buy Valium says:

    Great site and excellent resource you have. I think it’s very cool. I will visit your website again. Thank you!

  43. Buy Valium says:

    Very good website you have here, After the visit I put my step in to your guestbook.

  44. Buy Valium says:

    Great site and excellent resource you have. I think it’s very cool. I will visit your website again. Thank you!

    http://valium1.blogcu.com/ Buy Valium

  45. Buy Valium says:

    Nice design. Please add more smiles to your guestbook 🙂  Please more updates.

    http://valium1.blogcu.com/ Buy Valium

  46. Buy Valium says:

    I found lots of intresting things here. Please more updates.

    http://valium1.blogcu.com/ Buy Valium

  47. Buy Valium says:

    If you listen to the Matrix soundtrack on your Ipod, or perhaps a fun song, your life automatically becomes a movie.

    http://valium1.blogcu.com/ Buy Valium

  48. This is really fresh idea of the design of the site! I seldom met such in Internet. Good Work dude!

  49. Nice site. Very useful contents. I’ve been looking for information for a long time, and I’ve found it exactly here. Thank you

  50. I have already enjoy your website, and it is so nice and cool. I will visit your website again. Thank you

  51. Buy Caverta says:

    What a good site! I think it wasnt easy to post here so much information. Thank you, I will add it to my bookmarks

  52. Buy Caverta says:

    Good Work dude! I will visit your website again.

  53. Buy Caverta says:

    Looks great! I found lots of intresting things here. Please more updates.

  54. Buy Caverta says:

    Very good website you have here, After the visit I put my step in to your guestbook.

  55. Buy Caverta says:

    What a good site! I think it wasnt easy to post here so much information. Thank you, I will add it to my bookmarks

  56. Buy Caverta says:

    Looks great! I found lots of intresting things here. Many thanks.

  57. Buy Caverta says:

    Hey! This is really your Work?! Cool! I never earlier did not see sites like this! Tnx!

  58. Buy Caverta says:

    This is really fresh idea of the design of the site! I seldom met such in Internet. Good Work dude!

  59. Buy Caverta says:

    Your site is very very cool !! I love it 🙂 Respect !

  60. Papayqg says:

    <a href= http://xigozy.angelfire.com >a business decision</a> <a href= http://fatoso.angelfire.com >a 5 drop forwards</a> <a href= http://pohofu.angelfire.com >aaway messages</a> <a href= http://gukogi.angelfire.com >a change of pace lyric loose lip sink ship</a> <a href= http://wedovu.angelfire.com >a way to carry on again</a>

  61. Buy Caverta says:

    Very good website you have here, After the visit I put my step in to your guestbook.

  62. Buy Caverta says:

    Looks great! I found lots of intresting things here. Please more updates.

  63. Alex Taylor says:

    Site – very comprehensive and meticulous from all sides, its good! Just excellent website, I sure!

    http://caverta1.blogcu.com/3011326/ Buy Caverta Online

  64. Hi Webmaster! It was a pleasure to look through this site! there is a lot of new and fresh ideas)!Thank You

  65. Buy Caverta says:

    Hi Webmaster! It was a pleasure to look through this site! there is a lot of new and fresh ideas)!Thank You

  66. Buy Caverta says:

    "It’s not because of fate, it’s because of Tequila"  That may be the best thing I have ever read in my whole life!

  67. Buy Caverta says:

    Frankly, the way things are right now, I’m not sure I’d want to play myself in my very own movie of the week.

  68. Buy Caverta says:

    Site – very comprehensive and meticulous from all sides, its good! Just excellent website, I sure!

  69. Looks great! I found lots of intresting things here. Please more updates.

  70. Hi Guys! What Your Blog Powered By?  Keep up the great work!