how to remove unnecessery handler mappings from Sharepoint 2010 web application for security purpose

This article explains how to restrict or remove unnecessary handler mappings for  Microsoft SharePoint Foundation web application in the Integrated Request Pipeline of Internet Information Services (IIS) .

As you know Sharepoint has modifed the pipeline for more information about Why Sharepoint modifing the request pipeline please read this topic :
http://msdn.microsoft.com/en-us/library/ee537834.aspx

For a general web application you can modify pipleline using:

  • Pipeline Changes at the ASP.NET Framework Level: Sharepoint  does not change any thing for this level that mean sharepoint makes no changes to the machine.config file or the global web.config file.
  • Pipeline Changes at the IIS Configuration Level : The modifications on applicationhost.config file.This file is located in the %WinDir%\System32\inetsrv\config\ directory and it contains registrations of the IIS Web sites and application pools on the server, as well as some settings that apply to all Web applications on the Web server. The settings in applicationhost.config are primarily oriented to the parts of the pipeline that are contributed by IIS, whereas the machine.config and the global web.config files contain settings that are primarily oriented to the parts of the integrated request pipeline that are contributed by ASP.NET.
  • Pipeline Changes at the SharePoint Web Application Level: The modifications on web.config files.
  • Pipeline Changes at the Directory Level : The modifications on directory levels still using web.config files.Particular physical or virtual directories in an IIS Web site can also have their own web.config file to add new settings or override inherited settings. The new settings and overrides, of course, apply only to HTTP requests for resources located within the directory and its subdirectories.

Important ! :In this article scope of “Pipeline Changes at the IIS Configuration Level” so get backup your applicationhost.config file before do anything in %WinDir%\System32\inetsrv\config\

Bellowed configuration is for standart sharepoint web application so if you have some custom codes that need extra handler please add needed handlers to list.

For removing handler mappings

1) open your IIS console.
2) select your Sharepoint Web Application
3) Click Handler Mappings.

And Remove unneceserry handler mappings by selecting and clicking remove button on iis console.

 The handlers in  picture below are the needed ones so don’t delete them.

So sharepoint is not use any .net framework 4.0 components and the other iis default isapi extentions.
Always make a test that your site is working correctly. For testing use these starting points:

  • Test Pages
  • Test System Pages
  • Test File Upload
  • Test Search
  • Test Sharepoint Designer Connection
  • Add your custom test items.

see you next articles.

Advertisements

Restriction Module : secure your asp.net application

RestrictionModue makes life easier that secure your asp.net or sharepoint site content, pages or documents when authorization restrictions or standart restrictions are not enough. Its developed in c# 3.5.

What is Restriction Module

Restriction module is an open source project based on a httpmodule that alternatively provide security to your web applications. You can define rules that protect your pages,contents or documents. Use more flexible restrictions using power of regular expression than forms authentication web.config options.You can change security settings in runtime. And no need to recycle application or no extra down time .

Configuration of  Restriction Module

  • Add Module Definition:

Add this key below to your web.config file: configuration/system.web/httpModules

<add name=”RestrictionModule” type=”RestrictionModuleApp.RestrictionModule, RestrictionModuleApp,Version=1.0.0.0, Culture=neutral, PublicKeyToken=be23a05ec1781ff6″  />

  • Add switch key:

Add belowed key to configuration/appSettings
<add key=”RestrictionModuleActive” value=”On” />

İf value is on means module is active off means inactive.

  • Copy  Restriction.xml to your application path

Restriction.xml file definitions

You should define restrictions rules in restriction xml . Here is an example .

<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestURL" ContinueRuleList="false">
    <Expressions>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Forms/</Expression>
      <Expression Type="Contains" CaseSensitive="false">/_layouts/</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com/ErrorPages/401.aspx</RedirectURL>
    <Audiences>PostDomain\guest</Audiences>
  </RestrictionRule>
</RestrictionRules>

Restriction Rule:

You can define a restriction rule between <RestrictionRule></RestrictionRule> tags.

Restriction Rule Parameters:

  • Enabled: Boolean. Makes this rule active or inactive
  • Action: Gets two parameters  “Allow” and “Deny”. Default is “Deny”.If you choose “allow” by default  all request redirect to  url which is defined redirectURL parameter except selected user scope (if Audiences parameter is empty means all user is selected . All requests are not redirected) . Otherwise you choose “Deny”  by default all request continue with its normal destination except selected users redirect to  url which is defined RedirectURL parameter
  • Mode: Defines an envoriment variable in httpcontext for restriction
    • RequestURL: Restrict request with using raw url of request.
    • RequestUserHostName: Restrict request by UserHostName
    • RequestContentType: Restrict request by Content Type.
    • RequestUserHostAddress: Restrict request by UserHostAddress
  • ContinueRuleList: Boolean. By default If one rule match with expression and not match any criteria the other rules will not execute. If you set this parameter “true” the other rules will be executed what if an expression matched for one rule.  This feature should be used two different rule with same expression but modes are not equal.

For example:

Rule1: deny select url contains “/pages/” for A and B user. -> Redirect to access denied page

Rule2: deny select ip startwith “192.168” for A and C user  -> Redirect to access denied page

İf user “C” make a request a pagewith url contains “/pages/” rule expression match but identity not .By default expression match is enough and the other rules not executed.For execute rule2 you should set this parameter true in rule1.

Expression:

You can define one or more expression in a rule. There is no expression continue list option.if one expression is match with the pattern or criteria,  the others not execute.Also there is no relation between expressions.

  • Type : Defines an operation on envoriment variable .Available operations
    • Contains : Search given parameter with in variable
    • StartWith : Search given parameter  at start of variable
    • EndWith : Search given parameter at end of variable
    • RegularExpression:Search given patterns and user parameter as variable.
    • CaseSensitive: Boolean . Define case sensitivity feature except Regular Expression.Default is false. İf you want use case sensitivity in regular expression,you have to write in pattern.

RedirectURL:

If any rule’s expression match with the criteria request will redirect to this url. Usually this url is Access Denied page or login page url.

Audiences

Access list for a rule. If its empty means all users.If you want to define more than one user you have to seperate identities  by comma “,”.

Example:

<Audiences>BlogDomain\bugra,BlogDomain\postman</Audiences>

Exampe Restrictions Rules

Other users will restricted.

<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <RestrictionRule Enabled="false" Action="Allow" Mode="RequestURL" ContinueRuleList="false">
    <Expressions>
      <Expression Type="StartWith" CaseSensitive="false">http://blog.bugrapostaci.com/admin</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com /ErrorPages/401.aspx
         </RedirectURL>
    <Audiences>BlogDomain\admin</Audiences>
  </RestrictionRule>
</RestrictionRules>
  • Example 2 : Deny “Guest” user to reach pages url which contains /Pages/Forms and /Pages/Admin/
<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestURL" ContinueRuleList="false">
    <Expressions>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Forms/</Expression>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Admin/</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com /ErrorPages/401.aspx
         </RedirectURL>
    <Audiences>Guest</Audiences>
  </RestrictionRule>
</RestrictionRules>

  • Example 3 : Deny all users which ip address start with “192.168.10”
<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestUserHostAddress" ContinueRuleList="false">
    <Expressions>
      <Expression Type="StartWith" CaseSensitive="false">192.168.10</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com/ErrorPages/401.aspx</RedirectURL>
    <Audiences> </Audiences>
  </RestrictionRule>
</RestrictionRules>
  • Example 4 : Multiple Rules
<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestURL" ContinueRuleList="true">
    <Expressions>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Forms/</Expression>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Admin/</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com /ErrorPages/401.aspx
         </RedirectURL>
    <Audiences>Guest</Audiences>
  </RestrictionRule>
<RestrictionRule Enabled="false" Action="Deny" Mode="RequestUserHostAddress" ContinueRuleList="false">
    <Expressions>
      <Expression Type="StartWith" CaseSensitive="false">192.168.10</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com/ErrorPages/401.aspx</RedirectURL>
    <Audiences></Audiences>
  </RestrictionRule>
</RestrictionRules>

You can visit project page:

http://restrictionmodule.codeplex.com

You can download release version :

http://restrictionmodule.codeplex.com/releases/view/50844#DownloadId=144210

And here is the user manuel

http://restrictionmodule.codeplex.com/releases/view/50844#DownloadId=144633

Happy codding.