Securing & Hardening SharePoint Sites – Part 2

Previously we blogged about the reasons for – and potential concerns with – opening up a SharePoint application to external users. The improved collaboration and access to real-time data is certainly compelling, but what if we’re concerned savvy users might decide to poke around the SharePoint site we give them access to? Even with the proxy design available to architects using the CorasWorks platform, there’s always those users who may try to access content or underlying back-end SharePoint pages, like the “All Site Content” or “All People” pages.

Luckily, there’s a straightforward way to make some quick adjustments to a masterpage and restrict access to even those system pages for a given site. To start, let’s look at the first few lines of HTML that normally make up the body of a masterpage; this example comes from an unmodified “v4.master” in SharePoint 2010:

<body scroll=”no” onload=”if (typeof(_spBodyOnLoadWrapper) != ‘undefined’) _spBodyOnLoadWrapper();”><form runat=”server” onsubmit=”if (typeof(_spFormOnSubmitWrapper) != ‘undefined’) {return _spFormOnSubmitWrapper();} else {return true;}”><asp:ScriptManager id=”ScriptManager” runat=”server” EnablePageMethods=”false” EnablePartialRendering=”true” EnableScriptGlobalization=”false” EnableScriptLocalization=”true” />… (The rest of the page)</form>

</body>

When customizing a masterpage, one of the things you can do is add Security Trimmed Controls, which essentially allow you to wrap a block of content within your masterpage and thus restrict the display/running of it to only those users whose permissions match the settings specified. Here’s an example of one such use:

<Sharepoint:SPSecurityTrimmedControl runat=”server” ID=”HidePage” Permissions=”ManageWeb” PermissionMode=”All” PermissionContext=”CurrentSite”>

Now imagine you wanted to secure the entirety of your underlying SharePoint system pages, like “All Site Content” or your native List Views. No problem – simply wrap the entire contents of the <form> tag that encompasses the page and you’ve got a locked site where only users with sufficient permissions can access your back-end pages:

<body scroll=”no” onload=”if (typeof(_spBodyOnLoadWrapper) != ‘undefined’) _spBodyOnLoadWrapper();”><form runat=”server” onsubmit=”if (typeof(_spFormOnSubmitWrapper) != ‘undefined’) {return _spFormOnSubmitWrapper();} else {return true;}”><Sharepoint:SPSecurityTrimmedControl runat=”server” ID=”HidePage” Permissions=”ManageWeb” PermissionMode=”All” PermissionContext=”CurrentSite”><div id=”FullPage”><asp:ScriptManager id=”ScriptManager” runat=”server” EnablePageMethods=”false” EnablePartialRendering=”true” EnableScriptGlobalization=”false” EnableScriptLocalization=”true” />

… (The rest of the page)

</div>

</Sharepoint:SPSecurityTrimmedControl>

</form>

</body>

Want to display a note to users who try to sneak their way in; another simple tweak – just add a little HTML with some appropriate verbiage, then hide said message if the user does have sufficient rights:

<body scroll=”no” onload=”if (typeof(_spBodyOnLoadWrapper) != ‘undefined’) _spBodyOnLoadWrapper();”><form runat=”server” onsubmit=”if (typeof(_spFormOnSubmitWrapper) != ‘undefined’) {return _spFormOnSubmitWrapper();} else {return true;}”><div id=”ReadersMessage” style=”width:100%;text-align:center”><h1>Nothing to see here…</h1></div><Sharepoint:SPSecurityTrimmedControl runat=”server” ID=”HidePage” Permissions=”ManageWeb” PermissionMode=”All” PermissionContext=”CurrentSite”><script type=”text/javascript”>document.getElementById(“ReadersMessage”).style.display = ‘none’;</script>

<div id=”FullPage”>

<asp:ScriptManager id=”ScriptManager” runat=”server” EnablePageMethods=”false” EnablePartialRendering=”true” EnableScriptGlobalization=”false” EnableScriptLocalization=”true” />

… (The rest of the page)

</div>

</Sharepoint:SPSecurityTrimmedControl>

</form>

</body>

To learn more about the SPSecurityTrimmedControl, check out the documentation from MSDN here: http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.webcontrols.spsecuritytrimmedcontrol_properties.aspx

The three properties you will want to focus on are the “Permissions”, “PermissionMode” and “PermissionContext” one as seen in the examples above; for reference, the examples here would hide the contents of any page using this masterpage to all users except those with Owner (or equivalent) rights on the current site.

Comments are closed.