Exploring ViewFormPagesLockDown Feature and Anonymous site security

HTML clipboard

Whenever one completes setting up with anonymous site in SharePoint , major part comes into picture is with security. Anonymous users must not be able to navigate through form pages (_layouts/page.aspx) and so MOSS provides cool way to achieve this. You can easily do this with a help of a feature known as ViewFormPagesLockDown.

You just need to activate this feature on the CMS site (base web site) and that's all.

But I was wondering that what exactly happens when you just activate this feature?? So my curiosity took me to open up Reflector, and found a very simple way how Microsoft has done this

Basically that gets anonymous user by guest role as

SPRoleDefinition byType = site.RootWeb.RoleDefinitions.GetByType(SPRoleType.Guest);

And then removes permission for this guest role

byType.BasePermissions &= ~(SPBasePermissions.EmptyMask | SPBasePermissions.ViewFormPages);
byType.BasePermissions &= ~SPBasePermissions.UseRemoteAPIs;

SPBasePermission Enum has value ViewFormPages which restricts users from browsing pages under _layouts directory directly And also one more interesting thing I came to know from this post that when ViewFormPagesLockDown feature is activated then only those pages gets secured which derives from LayoutsPageBase class sometimes when you want anonymous users to browse some application under Layouts directory then you need to derive those pages from UnsecuredLayoutsPageBase.