Thursday, July 17, 2008

MySites, Anonymous Access, and Lockdown Mode

Problem

It is sometimes desirable to have anonymous access to parts of a MySite site. The usual facilities for setting anonymous access are available, but they don't seem to work for all elements of the site. While the Default (My Home) page may not have any meaning for anonymous users, and the MyProfile not much, there are occasions when Shared Documents or another doclib might need to be accessed anonymously.

We have found that setting the site to allow anonymous access to the "Entire Web", and setting the library to inherit from its parent (or not to inherit, but to allow anonymous access), enables users to access .doc, .pdf., and other files, but not pages (.aspx). This means that (for example) web part pages, document libarary lists, and other useful sites are disabled for anonymous access, and the access can't be turned on, even by the site owner.

Tentative Diagnosis

In SharePoint, anonymous users are associated with the permission level "Limited Access". The default settings for limited access are intended for team sites. MOSS has a security provision called "lockdown mode" which is intended to improve security for publishing sites. The MS document "Plan security for an external anonymous access environment (Office SharePoint Server)" <http://technet.microsoft.com/en-us/library/cc263468.aspx> contains a description of lockdown mode:

Lockdown mode is a feature that you can use to secure published sites. When lockdown mode is turned on, fine-grain permissions for the limited access permission level are reduced.


Lockdown mode appears to be activated by default in the "Publishing Site" template, and perhaps by the "Publishing" features. The page linked above shows the following two commands for lockdown mode:

The following table lists the Stsadm commands related to using lockdown mode.

Action Command
Turn on lockdown mode for a site collection
stsadm -o activatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml
Turn off lockdown mode for a site collection
stsadm -o deactivatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml

I believe we need to check to see if the lockdown feature is enabled on MySites, and what we need to do to deactivate it across the board.

-- Joshua
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)