Blocking access to application pages (_layouts) and Forms Pages

Few weeks ago i was fixing a bug in Sharepoint 2010 project available on the internet. The requirement was to prevent access from authenticated users who knows the special Sharepoint addresses (such as _layouts, etc..).

After some research i found the following post:

http://sharepointtechie.blogspot.com/2011/06/blocking-access-to-application-pages.html

This is what the post says:

SharePoint allows this by enabling the feature “ViewFormPagesLockDown”. This feature is activated at the Site Collection scope. All groups / users not having the “View Application Pages” permission will not be able to navigate to pages like “_layouts/viewlsts.aspx” or “pages/forms/allitems.aspx”.

Below are the steps to block access from application pages:
  1. Identify users / group to restrict.
  2. Set their permission to “Restricted Read” or remove the “View Application Pages” from existing assigned permission level.
  3. Enable “ViewFormPagesLockDown” feature using the powershell command (replace the [yoursiteurl] with the right url):
    stsadm -o activatefeature -url [yoursiteurl] -filename ViewFormPagesLockDownfeature.xml
The above steps will block all users not having “View Application Pages” permission from accessing the application pages and form pages.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.