Blocking access to application pages (_layouts) and Forms Pages

Few weeks ago i was fixing a bug in Sharepoint 2010 project available on the internet. The requirement was to prevent access from authenticated users who knows the special Sharepoint addresses (such as _layouts, etc..).

After some research i found the following post:

http://sharepointtechie.blogspot.com/2011/06/blocking-access-to-application-pages.html

This is what the post says:

SharePoint allows this by enabling the feature “ViewFormPagesLockDown”. This feature is activated at the Site Collection scope. All groups / users not having the “View Application Pages” permission will not be able to navigate to pages like “_layouts/viewlsts.aspx” or “pages/forms/allitems.aspx”.

Below are the steps to block access from application pages:
  1. Identify users / group to restrict.
  2. Set their permission to “Restricted Read” or remove the “View Application Pages” from existing assigned permission level.
  3. Enable “ViewFormPagesLockDown” feature using the powershell command (replace the [yoursiteurl] with the right url):
    stsadm -o activatefeature -url [yoursiteurl] -filename ViewFormPagesLockDownfeature.xml
The above steps will block all users not having “View Application Pages” permission from accessing the application pages and form pages.

Author: Marco Mansi

Focus and dedication to everything that has to do with technology and, most of all, software development and architecture is what describes Marco. Marco is curious and interested in everything that is new and seeks to understand the more quickly the potential and the ability to implement these technologies in the real world. Marco loves open source and thinks that sharing knowledge is the key to make better things.

Leave a Reply