Securing SharePoint Anonymous Access – web.config

If you have allowed anonymous access you can secure _layouts and _vti_bin in the web.config.

The question mark ? stands for anonymous users and the star * stands for authenticated users. Note a lot of articles do not have _/layouts/1033 listed, but I found I needed to add this for core.css and any custom theme.css. Also, according to Microsoft articles you are meant to add this a separate XML file in “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\CONFIG” – but it didnt work for me so I cheated and put this in web.config.
  <location path="_layouts">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="_vti_bin">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="_layouts/1033">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="_layouts/login.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="_layouts/error.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="_layouts/accessdenied.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="_layouts/images">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <location path="_layouts/mobile/mbllogin.aspx">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Leave a Reply